先爆路径
而后put文件
move 文件,这里不是标准的move协议,用file伪协议
最后getshell
附上后台处理move的关键代码 protected void doMove(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
if (LOG.isDebugEnabled()) {
LOG.debug("RESTful file access: MOVE request for " + request.getRequestURI());
}
if ((this.writePermissionRole != null) && (!request.isUserInRole(this.writePermissionRole)))
{
response.sendError(403);
return;
}
File file = locateFile(request);
String destination = request.getHeader("Destination");
if (destination == null)
{
response.sendError(400, "Destination header not found");
return;
}
try
{
URL destinationUrl = new URL(destination);
IOHelper.copyFile(file, new File(destinationUrl.getFile()));
IOHelper.deleteFile(file);
}
catch (IOException e)
{
response.sendError(500);
return;
}
这个洞好值钱
http://0day.today/exploit/description/25370
影响版本Apache ActiveMQ 5.0.0 - 5.13.2
测试环境apache-activemq-5.8.0 debian 8 x64shell