这次没咋分析:
https://mp.weixin.qq.com/s/puRrvfqWFVKvQ0hOoVs8lQ
写了一个poc:
https://github.com/shadowsock5/Poc/tree/master/Confluence
,需要修改:
url、用户名、密码、你自己的空间名
然后切换payload,改一下数字就行了。
最后confluence是加了一个过滤函数,判断用户输入的payload的文件路径经过路径穿越之后是否是/WEB-INF/packages
的子目录,这里不知道咋绕了。
import java.io.File;
import java.io.IOException;
public class Main{
public static boolean isChildOf(File dir, File child) {
try {
File dirCanonical = dir.getCanonicalFile();
File targetCanonical = child.getCanonicalFile();
System.out.println(targetCanonical);
for(File parent = targetCanonical.getParentFile(); parent != null; parent = parent.getParentFile()) {
if (dirCanonical.equals(parent)) {
return true;
}
}
} catch (IOException var5) {
System.out.println(var5);
}
return false;
}
public static void main(String[] args) {
File a_dir = new File("/WEB-INF/packages");
File a_child = new File("/WEB-INF/packages/../../../../../../web.xml");
System.out.println(isChildOf(a_dir, a_child));
}
}
另外后面的限定了路径穿越的路径的代码还没有跟。
这个危害程度有一定的争议,总之实际影响依具体情况而定,最敏感的文件应该是LDAP or Crowd credentials ( crowd.properties
, atlassian-user.xml
),如果都没有,那么这个漏洞无法立即被攻击者利用。
To determine the impact of this vulnerability, please check your /confluence/WEB-INF directory and its subdirectories (especially /classes/) for any files that contain LDAP or Crowd credentials ( crowd.properties, atlassian-user.xml), or files that contain any other sensitive data that an administrator may have put in this directory. If nothing is found, this vulnerability is not immediately exploitable.