參考:
- ActiveMQ漏洞利用方法總結
- https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2015-5254/README.zh-cn.md
- https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2016-3088/README.zh-cn.md
- https://github.com/Xyntax/POC-T/blob/2.0/script/activemq-weakpass.py
- https://github.com/Xyntax/POC-T/blob/2.0/script/activemq-upload.py
- https://github.com/WyAtu/Perun/tree/master/vuln/activemq
下載:
https://archive.apache.org/dist/activemq/5.11.1/apache-activemq-5.11.1-bin.zip
CVE-2015-5254:反序列化
影響版本:
Apache ActiveMQ 5.x before 5.13.0
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
CVE-2015-1830
影響版本:
Apache ActiveMQ 5.x before 5.11.2 for Windows
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
CVE-2016-3088
影響版本:
Apache ActiveMQ 5.x before 5.14.0
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
調試:
找到ACTIVEMQ_DEBUG_OPTS
取消註釋。
啓動:
.\activemq.bat start
/admin頁面默認用戶名密碼:admin/admin
不過用不到這個web端口。
看61616端口:
訪問:
http://192.168.85.129:8161/admin/test/systemProperties.jsp
用1.8失敗了,無法編譯。換成1.7,可以訪問。
這個接口無需認證即可訪問。
弱密碼Pocsuite:
文件上傳Pocsuite: