Jira环境搭建及CVE-2021-26086受限文件读取漏洞分析<\/h1>

一、Jira环境搭建指南<\/h2>

1. 安装准备<\/h3>

系统要求<\/strong>：本文基于Mac系统，但步骤适用于多平台<\/li>

软件版本<\/strong>：

MySQL 5.7.31（推荐版本，兼容性好）<\/li>
Jira软件（版本需支持CVE-2021-26086漏洞）<\/li> <\/ul> <\/li> <\/ul>
2. MySQL安装与配置<\/h3>
安装步骤<\/h4>

下载MySQL 5.7.31（避免使用Homebrew安装）<\/li>
首次安装后可能遇到登录问题，需安全模式启动并修改密码：
sudo mysqld_safe --skip-grant-tables <\/span><\/span>mysql -u root <\/span><\/span>UPDATE mysql.user SET authentication_string=<\/span>PASSWORD(<\/span>'newpassword'<\/span>)<\/span> WHERE User=<\/span>'root'<\/span>; <\/span><\/span>FLUSH PRIVILEGES; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 关键配置<\/h4> 创建\/etc\/my.cnf<\/code>文件（Mac默认不生成）：<\/p> [client]<\/span> <\/span><\/span>default-character-set<\/span> =<\/span> utf8mb4<\/span> <\/span><\/span>port<\/span> =<\/span> 3306<\/span> <\/span><\/span>socket<\/span> =<\/span> \/tmp\/mysql.sock<\/span> <\/span><\/span> <\/span><\/span>[mysqld]<\/span> <\/span><\/span>character-set-client-handshake<\/span> =<\/span> FALSE<\/span> <\/span><\/span>character-set-server<\/span> =<\/span> utf8mb4<\/span> <\/span><\/span>collation-server<\/span> =<\/span> utf8mb4_unicode_ci<\/span> <\/span><\/span>default-storage-engine<\/span>=<\/span>INNODB<\/span> <\/span><\/span>character_set_server<\/span>=<\/span>utf8mb4<\/span> <\/span><\/span>innodb_default_row_format<\/span>=<\/span>DYNAMIC<\/span> <\/span><\/span>innodb_large_prefix<\/span>=<\/span>ON<\/span> <\/span><\/span>innodb_file_format<\/span>=<\/span>Barracuda<\/span> <\/span><\/span>innodb_log_file_size<\/span>=<\/span>2G<\/span> <\/span><\/span>skip_ssl<\/span> <\/span><\/span><\/code><\/pre>数据库创建<\/h4> CREATE<\/span> DATABASE<\/span> Jira CHARACTER SET<\/span> utf8mb4 COLLATE<\/span> utf8mb4_bin; <\/span><\/span>ALTER<\/span> DATABASE<\/span> Jira DEFAULT<\/span> CHARACTER SET<\/span> =<\/span> utf8mb4 DEFAULT<\/span> COLLATE<\/span> =<\/span> utf8mb4_bin; <\/span><\/span><\/code><\/pre>验证字符集配置：<\/p> SHOW<\/span> VARIABLES WHERE<\/span> Variable_name LIKE<\/span> 'character\_set\_%'<\/span> OR<\/span> Variable_name LIKE<\/span> 'collation%'<\/span>; <\/span><\/span><\/code><\/pre>3. Jira安装与破解<\/h3> 常见问题解决<\/h4> SSL连接问题<\/strong>：修改dbconfig.xml<\/code>中的连接URL：<\/p> <url><\/span>jdbc:mysql:\/\/address=(protocol=tcp)(host=localhost)(port=3306)\/jira?useUnicode=true&useSSL=false&characterEncoding=UTF8&sessionVariables=default_storage_engine=InnoDB<\/url><\/span> <\/span><\/span><\/code><\/pre><\/li> 许可证问题<\/strong>：使用atlassian-agent工具生成密钥：<\/p> java -jar atlassian-agent.jar -d -m your@email.com -n your_name -p jira -o http:\/\/127.0.0.1:8080 -s BRX3-TPH5-YVOW-XXXX <\/span><\/span><\/code><\/pre><\/li> <\/ol> 二、CVE-2021-26086漏洞分析<\/h2> 1. 漏洞概述<\/h3> 漏洞类型<\/strong>：受限文件读取<\/li> 影响版本<\/strong>：Atlassian Jira特定版本<\/li> CVSS评分<\/strong>：7.5 (High)<\/li> <\/ul> 2. 漏洞复现<\/h3> POC示例<\/h4> \/s\/xx\/_\/;\/WEB-INF\/web.xml \/s\/xx\/_\/;\/WEB-INF\/decorators.xml \/s\/xx\/_\/;\/WEB-INF\/classes\/seraph-config.xml \/s\/xx\/_\/;\/META-INF\/maven\/com.atlassian.jira\/jira-webapp-dist\/pom.properties <\/code><\/pre> 变体POC：<\/p> \/s\/everything\/_\/;anythingulike\/WEB-INF\/web.xml <\/code><\/pre> Burp Suite配置技巧<\/h4> 由于Burp默认不捕获localhost流量，需：<\/p> 修改Jira绑定IP为非localhost地址<\/li> 在Burp中修改目标主机为实际IP<\/li> <\/ol> 3. 漏洞原理深度分析<\/h3> 请求处理流程<\/h4> URL解析阶段<\/strong>：<\/p> org.apache.catalina.core.StandardContextValve#invoke<\/code>处理请求<\/li> 对路径中的;<\/code>进行忽略处理，如\/s\/s3gundo\/_\/;anythingulike\/WEB-INF\/web.xml<\/code>变为\/s\/s3gundo\/_\/\/WEB-INF\/web.xml<\/code><\/li> <\/ul> <\/li> 路径规范化<\/strong>：<\/p> normalize()<\/code>方法处理双斜杠和特殊字符<\/li> 最终路径变为\/WEB-INF\/web.xml<\/code><\/li> <\/ul> <\/li> UrlRewriteFilter处理<\/strong>：<\/p> RuleChain#process<\/code>方法匹配规则<\/li> 关键正则：^\/s\/i)(?!WEB-INF)(?!META-INF).*)<\/code> (?i)<\/code>：不区分大小写<\/li> (?<\/code>：否定前瞻，确保后面不跟WEB-INF或META-INF<\/li> <\/ul> <\/li> <\/ul> <\/li> 请求转发<\/strong>：<\/p> 绕过StandardContextValve<\/code>直接转发到DefaultServlet<\/li> 允许访问受保护目录下的资源<\/li> <\/ul> <\/li> <\/ol> 关键代码分析<\/h4> \/\/ 路径规范化逻辑 <\/span><\/span><\/span><\/span>public<\/span> static<\/span> String normalize<\/span>(<\/span>String path,<\/span> boolean<\/span> replaceBackSlash)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>path ==<\/span> null<\/span>)<\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> String normalized =<\/span> path;<\/span> <\/span><\/span> if<\/span> (<\/span>replaceBackSlash &&<\/span> path.<\/span>indexOf<\/span>(<\/span>92<\/span>)<\/span> >=<\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> normalized =<\/span> path.<\/span>replace<\/span>(<\/span>'\\'<\/span>,<\/span> '\/'<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... 其他处理逻辑 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>绕过限制机制<\/h4> 通过;<\/code>字符分割URL，使前半部分匹配规则，后半部分作为实际访问路径<\/li> 请求转发机制绕过常规的访问控制检查<\/li> <\/ul> 4. 漏洞利用限制<\/h3> 只能读取Web应用目录下的文件（WEB-INF和META-INF）<\/li> 无法跨目录读取系统其他文件<\/li> 受normalize()<\/code>函数限制，无法使用..\/<\/code>进行目录遍历<\/li> <\/ul> 5. 官方修复方案<\/h3> 修改了路径检查的正则表达式：<\/p> Pattern PATHS_DENIED =<\/span> Pattern.<\/span>compile<\/span>(<\/span>"[^a-zA-Z0-9]((?i)(WEB-INF)|(META-INF))[^a-zA-Z0-9]"<\/span>)<\/span> <\/span><\/span><\/code><\/pre>规则：如果WEB-INF或META-INF前后有特殊字符，则拒绝访问<\/p> 三、渗透测试技巧<\/h2> WAF绕过<\/strong>：<\/p> 在;\/<\/code>中间填充随机字符串可绕过某些WAF规则<\/li> 示例：\/s\/xx\/_\/;xyz123\/WEB-INF\/web.xml<\/code><\/li> <\/ul> <\/li> 敏感文件枚举<\/strong>：<\/p> WEB-INF\/web.xml - 核心配置文件<\/li> WEB-INF\/decorators.xml - 页面装饰配置<\/li> WEB-INF\/classes\/seraph-config.xml - 安全配置<\/li> META-INF\/maven\/*\/pom.xml - 包含版本信息<\/li> <\/ul> <\/li> 漏洞挖掘思路<\/strong>：<\/p> 关注所有URL重写和请求转发逻辑<\/li> 特别注意分号(;<\/code>)在URL中的处理方式<\/li> 检查规范化函数是否可能被绕过<\/li> <\/ul> <\/li> <\/ol> 四、防御建议<\/h2> 及时更新<\/strong>：应用官方安全补丁<\/li> 输入验证<\/strong>：严格过滤URL中的特殊字符<\/li> 实现多层路径检查机制<\/li> <\/ul> <\/li> 权限控制<\/strong>：限制DefaultServlet的访问范围<\/li> 对WEB-INF和META-INF目录设置额外保护<\/li> <\/ul> <\/li> 安全编码<\/strong>：避免直接使用用户输入构造文件路径<\/li> 对请求转发目标进行严格校验<\/li> <\/ul> <\/li> <\/ol> 五、总结<\/h2> CVE-2021-26086漏洞展示了Web应用中路径处理逻辑的重要性。通过精心构造的URL，攻击者可以绕过多层安全控制直接访问受保护资源。该漏洞的利用依赖于：<\/p> 分号在URL中的特殊处理方式<\/li> URL重写规则的不完善<\/li> 请求转发机制的安全缺陷<\/li> 路径规范化函数的局限性<\/li> <\/ol> 对于安全研究人员，此案例强调了：<\/p> 深入理解Web容器处理流程的重要性<\/li> 正则表达式在安全控制中的关键作用<\/li> 多层防御机制的必要性<\/li> <\/ul>