让ActiveMQ 攻击具有权威性.pdf

1、Make ActiveMQ Attack Authoritative Speaker:yemoliAbout Me Reseacher CyberUtopian Focus On Web Security Static Analylize Pentest Blog:yml-sec.top Github:yemoliActiveMQ is a popular open-source message broker software that implements the Java Message Service(JMS)API for asynchronous communication betw

2、een applications.It supports multiple communication protocols,including OpenWire,Stomp,AMQP,and MQTTCVE-2023-46604ActiveMQ versions 5.18.2 and earlier have a deserialization vulnerability during communication using the OpenWire protocol.Attackers can execute code by controlling the serialization cla

3、ss type in the OpenWire protocol,causing arbitrary classes to be instantiatedorg.apache.activemq.openwire.OpenWireFormat#doUnmarshalThe utilization strategy in public and official announcements is to use ClassPathXmlApplicationContext in Spring to load remote XML and execution commands前置条件及限制目标需要出网如

4、果不出网需要落地xml通过xml来做后序利用操作有很多限制How to make it more powerful?Find a new gadget寻找单参数且参数类型为String的public修饰符修饰的构造方法IniEnvironment新建shiro ini配置对象加载传入的配置项内容初始化配置initcreateObjectsWhat do we have?目前为止我们可控Shiro 配置文件的完整内容，同时进行配置文件的初始化About configurationhttps:/shiro.apache.org/configuration.htmlHow to exploit it?How to exploit it?mons.dbcp2.BasicDataSourceHow to exploit it?BcelClassLoaderHow to exploit it in a higher version of JDK?mand.ActiveMQObjectMessageHow to exploit it in a higher version of JDK?How to exploit it in a higher version of JDK?Gadget