CVE-2019-8451: Jira SSRF
总结
使用@是为了 绕过受影响Jira中的startsWith的检查,然后实际发送请求的时候,会解析出@后面的host发送请求,所以可以利用成功。
补丁的方式就是开始检查的时候就用java.net.Uri#getHost,getPort 把@之后的host,port解析出来,若不满足白名单,则禁止。
杂
开始一直没找到这个接口是在哪里调用的,后来偶然看了一下burp才知道,他的referer是:
http://cqq.com:8091/plugins/servlet/gadgets/ifr?container=atlassian&mid=10003&country=US&lang=en&view=default&view-params=%7B%22writable%22%3A%22false%22%7D&st=atlassian%3AFmIezwWusKOMH2odogC%2BuQhewJC%2BygbVLECizFA3LIMzbUGQ0ET%2Flbw41I9mU3S5udNqtNO9O%2Fh3%2BwjbB7Lg5BuvzTBPDPoajat3pqH7GEj3eUxTP6D%2Fv637ASRRtPej3fHZYK3N%2FkYvTyV8oJT1x333hzxPYYrKnNAKDvjtEF%2FZTLXLrjC4Yo2neP0%2Bjwlvkq0Pf2fLpVn9zUUEqTAzA8FBngGEcGL64t0qEoulxRJLDhg%2FFH0g%2Bh03q5BQ3cG9kC108GqCLcNIMg8tIRgkykPCNOWCelLZ5r5B9MQnvtH8L90VpasngQI5FZp%2BKCOAy4JuUg%3D%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Your+Company+Jira&up_titleRequired=true&up_numofentries=5&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=__all_projects__&up_itemKeys=&up_username=&url=http%3A%2F%2Fcqq.com%3A8091%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%3Aactivitystream-gadget%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh
也就是说是/plugins/servlet/gadgets/ifr
这个请求之后发的。
完整的包是这样:
POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: cqq.com:8091
Content-Length: 2001
Origin: http://cqq.com:8091
X-Atlassian-Token: no-check
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3909.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cqq.com:8091/plugins/servlet/gadgets/ifr?container=atlassian&mid=10003&country=US&lang=en&view=default&view-params=%7B%22writable%22%3A%22false%22%7D&st=atlassian%3AFmIezwWusKOMH2odogC%2BuQhewJC%2BygbVLECizFA3LIMzbUGQ0ET%2Flbw41I9mU3S5udNqtNO9O%2Fh3%2BwjbB7Lg5BuvzTBPDPoajat3pqH7GEj3eUxTP6D%2Fv637ASRRtPej3fHZYK3N%2FkYvTyV8oJT1x333hzxPYYrKnNAKDvjtEF%2FZTLXLrjC4Yo2neP0%2Bjwlvkq0Pf2fLpVn9zUUEqTAzA8FBngGEcGL64t0qEoulxRJLDhg%2FFH0g%2Bh03q5BQ3cG9kC108GqCLcNIMg8tIRgkykPCNOWCelLZ5r5B9MQnvtH8L90VpasngQI5FZp%2BKCOAy4JuUg%3D%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Your+Company+Jira&up_titleRequired=true&up_numofentries=5&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=__all_projects__&up_itemKeys=&up_username=&url=http%3A%2F%2Fcqq.com%3A8091%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%3Aactivitystream-gadget%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; pgv_pvid=2487547493; ts_uid=9932210140; crowd.token_key=aqwsub3Qcpf0j7PKsoZElQ00; confluence.list.pages.cookie=list-content-tree; confluence.last-web-item-clicked=system.space.tools%2Fcontenttools%2Fspace-templates-2; NX-ANTI-CSRF-TOKEN=be149fbb-ef8f-4f53-99f1-fff763bb9b2d; jira.editor.user.mode=wysiwyg; confluence.browse.space.cookie=space-blogposts; NXSESSIONID=69f4ceb5-09c1-4bdb-a470-087afc85db0f; BITBUCKETSESSIONID=A1FE3DBE0029CEBCB447F8BDE4249D11; JSESSIONID=86203E4AE3050E0C23EC88E96B450D90; atlassian.xsrf.token=B85A-ERZU-GFGH-8E83_2c6fc841af39e2ecefb555837fd12b94d6f5a155_lin
Connection: closeurl=http%3A%2F%2Fcqq.com%3A8091%2Frest%2FwebResources%2F1.0%2Fresources&httpMethod=POST&headers=Accept%3Dapplication%252Fjson%252C%2520text%252Fjavascript%252C*%252F*%253Bq%253D0.01%26Content-Type%3Dapplication%252Fx-www-form-urlencoded%26X-Atlassian-Token%3Dno-check&postData=%7B%22r%22%3A%5B%5D%2C%22c%22%3A%5B%22browser-metrics-plugin.contrib%22%5D%2C%22xc%22%3A%5B%22jira.webresources%3Aalmond%22%2C%22jira.webresources%3Aaui-core-amd-shim%22%2C%22jira.webresources%3Ajira-metadata%22%2C%22jira.webresources%3Ajquery-livestamp%22%2C%22com.atlassian.analytics.analytics-client%3Ajs-events%22%2C%22com.atlassian.gadgets.publisher%3Aajs-gadgets%22%2C%22com.atlassian.streams%3AstreamsGadgetResources%22%2C%22com.atlassian.auiplugin%3Aajs-underscorejs%22%2C%22com.atlassian.plugins.browser.metrics.browser-metrics-plugin%3Aapi%22%5D%2C%22xr%22%3A%5B%22jira.webresources%3Aicons%22%2C%22jira.webresources%3Alist-styles%22%2C%22jira.webresources%3Ainline-layer%22%2C%22jira.webresources%3Adropdown%22%2C%22com.atlassian.auiplugin%3Asplit_aui.pattern.lozenge%22%2C%22com.atlassian.auiplugin%3Asplit_aui.splitchunk.vendors--23f50a6f00%22%2C%22com.atlassian.auiplugin%3Asplit_aui.splitchunk.23f50a6f00%22%2C%22com.atlassian.plugins.issue-status-plugin%3Aissue-status-resources%22%2C%22com.atlassian.auiplugin%3Asplit_aui.splitchunk.c45b2e0bc3%22%2C%22jira.webresources%3Afrother-queryable-dropdown-select%22%2C%22jira.webresources%3Afrother-singleselect%22%2C%22jira.webresources%3Afrother-multiselect%22%2C%22jira.webresources%3Afrother-checkbox-multiselect%22%2C%22jira.webresources%3Aselect-pickers%22%2C%22jira.webresources%3Aautocomplete%22%2C%22com.atlassian.jira.gadgets%3Acore-gadget-resources%22%5D%7D&authz=&st=&contentType=JSON&numEntries=3&getSummaries=false&signOwner=true&signViewer=true&gadget=http%3A%2F%2Fcqq.com%3A8091%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%3Aactivitystream-gadget%2Fgadgets%2Factivitystream-gadget.xml&container=atlassian&bypassSpecCache=
url解码之后是这样:
url=http://cqq.com:8091/rest/webResources/1.0/resources&httpMethod=POST&headers=Accept=application%2Fjson%2C%20text%2Fjavascript%2C*%2F*%3Bq%3D0.01&Content-Type=application%2Fx-www-form-urlencoded&X-Atlassian-Token=no-check&postData={"r":[],"c":["browser-metrics-plugin.contrib"],"xc":["jira.webresources:almond","jira.webresources:aui-core-amd-shim","jira.webresources:jira-metadata","jira.webresources:jquery-livestamp","com.atlassian.analytics.analytics-client:js-events","com.atlassian.gadgets.publisher:ajs-gadgets","com.atlassian.streams:streamsGadgetResources","com.atlassian.auiplugin:ajs-underscorejs","com.atlassian.plugins.browser.metrics.browser-metrics-plugin:api"],"xr":["jira.webresources:icons","jira.webresources:list-styles","jira.webresources:inline-layer","jira.webresources:dropdown","com.atlassian.auiplugin:split_aui.pattern.lozenge","com.atlassian.auiplugin:split_aui.splitchunk.vendors--23f50a6f00","com.atlassian.auiplugin:split_aui.splitchunk.23f50a6f00","com.atlassian.plugins.issue-status-plugin:issue-status-resources","com.atlassian.auiplugin:split_aui.splitchunk.c45b2e0bc3","jira.webresources:frother-queryable-dropdown-select","jira.webresources:frother-singleselect","jira.webresources:frother-multiselect","jira.webresources:frother-checkbox-multiselect","jira.webresources:select-pickers","jira.webresources:autocomplete","com.atlassian.jira.gadgets:core-gadget-resources"]}&authz=&st=&contentType=JSON&numEntries=3&getSummaries=false&signOwner=true&signViewer=true&gadget=http://cqq.com:8091/rest/gadgets/1.0/g/com.atlassian.streams.streams-jira-plugin:activitystream-gadget/gadgets/activitystream-gadget.xml&container=atlassian&bypassSpecCache=
修复方法:
jira低版本(7.4.1)发现漏洞升级到最新版本(8.4.1)
CVE-2019-8451: Jira SSRF相关推荐
- 2021年第一季度Sumap网络空间测绘CVE漏洞趋势安全分析报告
前言 本文主要通过网络测绘角度收集各种资产协议的版本号信息,通过比对CVE漏洞影响范围中的版本号方式,进行安全风险趋势分析,无任何实际危害互联网行为.资产在携带版本中也会存在修复补丁后版本不变的情况. ...
- 书签书签书签书签书签书签
书签 突然失眠了,我仔细想了想以后还是给自己定个目标吧,以前总担心涉及到未知的领域会没有产出什么的,其实这些都是空想 今年的任务,先提升大量的阅读能力和基础知识的积累-希望未来会踏入安研领域- 揭秘安 ...
- https://mp.weixin.qq.com/s/ilO6DZwRpWdrruKm4J8CMw
近日安全漏洞频发,小编在此收集了近期大家会比较关注的漏洞,做个总结,供大家查漏补缺,若有缺失,欢迎留言补充. 目录 一.OA系统 二.E-mail 三.Web中间件 四.源代码管理 五.项目管理系统 ...
- [HW必备]|蓝队防守必须排查的57个安全漏洞与解决方案
欢迎关注我的微信公众号:安全攻防渗透 信息安全领域原创公号,专注信安领域人才培养和知识分享,致力于帮助叁年以下信安从业者的学习和成长. 近日安全漏洞频发,博主在此收集了近期大家会比较关注的漏洞,做个总 ...
- 未发现数据源名称并且未指定默认驱动程序_看我如何发现NVIDIA GeForce Experience代码执行漏洞...
0x01 前言大家好,我是来自Chengdu University of Technology的Siyuan Yi,本人是一名安全爱好者,平时喜欢搞搞逆向,玩玩CTF.不久前,我发现了我的第一个0da ...
- VMware vCenter Server Appliance Photon OS安全修补程序
VMware vCenter Server Appliance Photon OS安全修补程序 上次更新时间 2019年12月19日 https://docs.vmware.com/en/VMware ...
- 工控系统的全球安全现状:全球漏洞实例分析
工控系统的全球安全现状:全球漏洞实例分析 一.摘要 运营技术(OT).网络和设备,即工业环境中使用的所有组件,在设计时并未考虑到安全性.效率和易用性是最重要的设计特征,然而,由于工业的数字化,越来 ...
- 2023年4月Kali MSF命令模块最详细模块与利用解释整合
前言 注意:前提概要<请遵守您本国家的相关法律法规,如有其他疑问或者任何事情与我本人无关> 开始 首先我们启动命令 msfconsole 我们应该都知道msf有三个大模块 use auxi ...
- BUUCTF [De1CTF 2019] SSRF Me
BUUCTF [De1CTF 2019] SSRF Me 考点: Flask代码审计 Python字符串拼接 Hint: flag is in ./flag.txt 启动环境,给出了源码: #! /u ...
最新文章
- 中国是全球AI停车最大市场
- 树状数组 区间update/query
- springboot 按钮权限验证_springboot学习之权限系统登录验证SpringSecurity
- Angular2父子组件数据传递之@ViewChild获取子组件详解
- android 什么是9.png
- 2台电脑一根网线传文件_Iphone 和PC如何共享文件
- Linux中10个有用的命令行补齐命令
- php密码安全检测,php – 密码安全随机字符串函数
- Js中Date的应用
- Linux虚拟机挂载共享文件夹
- ClipDrawable
- 【第四组】用例文档+功能说明书+技术说明书:查看导入的图片,工作序号:001,2017/7/11...
- mac终端命令大全介绍
- 2020 macbook pro 16寸 前端开发 我的装机软件整理
- 一键磨皮插件:DR5白金版(支持ps 2022)中文版
- 使用EXCEL计算并绘制KDJ指标
- 【Python笔记】第5章 if语句
- 解除RAR和ZIP压缩包密码的不同方法
- 比尔·盖茨表示 AI应被用来改善教育医疗
- 通达信破底翻选股公式,用缠论底分型进行优化
热门文章
- 认识大牛 深度学习“三剑客”
- 【好物推荐】在 windows 上快速搜索文件和目录的软件——Everything
- 联想S820 MIUI刷机包 MIUI 4.4.30 流畅运行 在线主题破解
- stm32f103c8t6最小系统板+nrf24l01制作简易船模
- 入职必备技能(三)HTML、CSS、JAVASCRIPT
- 文件下载FileDownloader
- 【社区图书馆】如何唤醒数学脑
- 2020 年 9 月程序员工资统计,工资中位数16500元!
- [ 渗透入门篇 ] 渗透行业必备术语大集合(六)
- C#设置窗体可以移动