first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/activemq/CVE-2015-5254/1.png
+++ b/activemq/CVE-2015-5254/1.png
--- a/activemq/CVE-2015-5254/2.png
+++ b/activemq/CVE-2015-5254/2.png
--- a/activemq/CVE-2015-5254/3.png
+++ b/activemq/CVE-2015-5254/3.png
--- a/activemq/CVE-2015-5254/4.png
+++ b/activemq/CVE-2015-5254/4.png
--- a/activemq/CVE-2015-5254/README.md
+++ b/activemq/CVE-2015-5254/README.md
@@ -0,0 +1,61 @@
+# ActiveMQ Deserialization Vulnerability (CVE-2015-5254)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
+
+Apache ActiveMQ version 5.x before the 5.13.0 security vulnerability, the vulnerability caused by the program does not limit the classes that can be serialized in the proxy. Remote attacker can make a special serialized Java Message Service (JMS) ObjectMessage objects exploit this vulnerability to execute arbitrary code.
+
+Reference Links:
+
+- https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
+
+## Vulnerability environment
+
+Start the vulnerable environment:
+
+```
+docker compose up -d
+```
+
+After running the environment, it will establish two ports on port 61616 and 8161. Port 61616 is the working port, and messages are delivered on this port. Port 8161 is the webpage management page port. Access `http://your-ip:8161`, You can see the network management page, but this vulnerability does not require a network theoretically.
+
+## Exploit
+
+The exploit process is as follows:
+
+1. Generate serialized payload (u can using ysoserial)
+2. send payload to port 61616
+3. Access the web management page and read the serialization messages, then u can trigger vulnerability.
+
+To exploit this environment we will use [jmet](https://github.com/matthiaskaiser/jmet) (Java Message Exploitation Tool). First download the jar file of jmet, and create folder called **external** in the same directory (otherwise it may occur the error that the folder does not exist).
+
+the jmet is to use ysoserial to generate Payload and send it (the jar comes with ysoserial, we don't no need to download it again), so we need to choose one that can be used in ysoserial as the gadget, such as ROME.
+
+Execute:
+
+```
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
+```
+
+![](1.png)
+
+At this point, a queue named event will be added to the target ActiveMQ.
+
+You can visit `http://your-ip:8161/admin/browse.jsp?JMSDestination=Event` to see all messages in this queue.
+
+(**login / password:** admin/admin):
+
+![](2.png)
+
+Click this message to trigger the command execute, this time into the container `docker compose exec activemq bash`,
+
+we can see /tmp/success has been successfully created, indicating exploit successful:
+
+![](3.png)
+
+Replace the command with a reverse shell statement and reuse it:
+
+![](4.png)
+
+It's worth noting that accessing messages through the web administration page and triggering the vulnerability requires administrator privileges. In the absence of password, we can induce administrator visit our link to trigger, or disguised as legitimate messages from other services need to wait for client access when triggered.
--- a/activemq/CVE-2015-5254/README.zh-cn.md
+++ b/activemq/CVE-2015-5254/README.zh-cn.md
@@ -0,0 +1,53 @@
+# ActiveMQ 反序列化漏洞（CVE-2015-5254）
+
+Apache ActiveMQ是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞，该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。
+
+参考链接：
+
+- https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
+
+## 漏洞环境
+
+运行漏洞环境：
+
+```
+docker compose up -d
+```
+
+环境运行后，将监听61616和8161两个端口。其中61616是工作端口，消息在这个端口进行传递；8161是Web管理页面端口。访问`http://your-ip:8161`即可看到web管理页面，不过这个漏洞理论上是不需要web的。
+
+## 漏洞复现
+
+漏洞利用过程如下：
+
+1. 构造（可以使用ysoserial）可执行命令的序列化对象
+2. 作为一个消息，发送给目标61616端口
+3. 访问web管理页面，读取消息，触发漏洞
+
+使用[jmet](https://github.com/matthiaskaiser/jmet)进行漏洞利用。首先下载jmet的jar文件，并在同目录下创建一个external文件夹（否则可能会爆文件夹不存在的错误）。
+
+jmet原理是使用ysoserial生成Payload并发送（其jar内自带ysoserial，无需再自己下载），所以我们需要在ysoserial是gadget中选择一个可以使用的，比如ROME。
+
+执行：
+
+```
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
+```
+
+![](1.png)
+
+此时会给目标ActiveMQ添加一个名为event的队列，我们可以通过`http://your-ip:8161/admin/browse.jsp?JMSDestination=event`看到这个队列中所有消息：
+
+![](2.png)
+
+点击查看这条消息即可触发命令执行，此时进入容器`docker compose exec activemq bash`，可见/tmp/success已成功创建，说明漏洞利用成功：
+
+![](3.png)
+
+将命令替换成弹shell语句再利用：
+
+![](4.png)
+
+值得注意的是，通过web管理页面访问消息并触发漏洞这个过程需要管理员权限。在没有密码的情况下，我们可以诱导管理员访问我们的链接以触发，或者伪装成其他合法服务需要的消息，等待客户端访问的时候触发。
--- a/activemq/CVE-2015-5254/docker-compose.yml
+++ b/activemq/CVE-2015-5254/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '2'
+services:
+ activemq:
+   image: vulhub/activemq:5.11.1
+   ports:
+    - "61616:61616"
+    - "8161:8161"