A security vulnerability analysis

Vulnerability analysis

The environment is built with vulhub. The version is

Confluence Server 6.10.2

Widget Connector is a plug-in of Confluence. Compare the plug-ins before and after repair

Left Confluence 6.13.0 right 6.13.3


You can see that the patch adds a filter function here. The content of the function is to traverse sanitizeFields and delete the corresponding fields from paramters. There is only one filter function here_ template, then the patch deletes the in parameters_ template field

Then you should look at the documentation to find the operation using the Widget Connector

[I > all resources acquisition < I]
1. 200 out of print e-books that can't be bought
2. Video materials inside 30G safety factory
3. 100 src documents
4. Common safety interview questions
5. Analysis of classic topics in ctf competition
6. Complete kit
7. Emergency response notes
8. Network Security Learning Route

Capture packets to get post data


If the URL is not empty, enter this renderManager. getEmbeddedHtml(url, parameters)


Here, the will traverse the matching URLs of these widgetrenderers according to the input url, and enter the getEmbeddedHtml method of the corresponding WidgetRenderer when it is matched

As shown here, YouTube renderer matches successfully

Then go to YouTube renderer #getembeddedhtml

The url of youtube is entered because the url in the parameter setting function of youtube renderer_ template controllable

Keep going

loadResource:322, ConfigurableResourceManager (com.atlassian.confluence.util.velocity)
getResource:297, ConfigurableResourceManager (com.atlassian.confluence.util.velocity)
getTemplate:1399, RuntimeInstance (org.apache.velocity.runtime)
getTemplate:422, VelocityEngine (org.apache.velocity.app)
getTemplate:89, VelocityUtils (com.atlassian.confluence.util.velocity)
renderTemplateWithoutSwallowingErrors:75, VelocityUtils (com.atlassian.confluence.util.velocity)
getRenderedTemplateWithoutSwallowingErrors:59, VelocityUtils (com.atlassian.confluence.util.velocity)
getRenderedTemplate:38, VelocityUtils (com.atlassian.confluence.util.velocity)
getRenderedTemplate:29, VelocityUtils (com.atlassian.confluence.util.velocity)
getRenderedTemplate:78, DefaultVelocityRenderService (com.atlassian.confluence.extra.widgetconnector.services)
render:72, DefaultVelocityRenderService (com.atlassian.confluence.extra.widgetconnector.services)

Until ConfigurableResourceManager#loadResource

This will loop here Resource loaders to load resources, respectively

com.atlassian.confluence.setup.velocity.HibernateResourceLoader ORM resource loader

org.apache.velocity.runtime.resource.loader.FileResourceLoader file read

org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader file loading

com. atlassian. confluence. setup. velocity. Dynamic plugin resource loader

So just look at the getResourceStream methods of FileResourceLoader and ClasspathResourceLoader


Here is the filter function

Loop to determine whether it starts with /... /

Therefore, FileResourceLoader#getResourceStream cannot read files across directories, but only files under the installation path

Look at another loader ClasspathResourceLoader#getResourceStream

This time_ Change template to file:///etc/passwd


The first several classloaders cannot be loaded. Finally, you need to call getResourceAsStream of ParallelWebappClassLoader

It will eventually call WebappClassLoaderBase#getResourceAsStream

In line 617, when obtaining the resource, the path will be spliced as / WEB-INF/classes/file:/etc/passwd. If the resource cannot be found, then stream=null, and enter line 625. Here, the findResource of the parent class, that is, URLClassLoader, is called to return a URL resource. Here, file https ftp and other protocols are supported. If the URL resource returned in line 627 is not empty, the content will be obtained

Finally, the data is encapsulated into the Template and returned to the rendering vm Template all the way

Therefore, you can control the content in the vm template to cause template injection


#set ($exp="exp")
#set ($a=$exp.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($command))
#set ($input=$exp.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $exp.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($exp.getClass().forName("java.io.InputStream")))

The ftp protocol is used here, python -m pyftpdlib -p 8888

Impact version

*   version < 6.13.23
*   6.14.0 ≤ version < 7.4.11
*   7.5.0 ≤ version < 7.11.5
*   7.12.0 ≤ version < 7.12.5

Vulnerability analysis

The patch should remove the ognl value of queryString

Because this is ognl expression injection, you can set the breakpoint to


The call stack can be roughly divided into

There is a security check before getValue


In line 32, the expression will be compiled (parsed unicode) and then put into containsUnsafeExpression for inspection

The blacklist is as follows

  1. The first hashset limits static methods, fields, and construction methods
  2. The second and third hashset s restrict the access to classloader s, such as XXX Class or XXX getClass()
  3. The fourth hashset restricts the occurrence of specific variables in the compiled results

You can use reflection to bypass, and then ognl injection. Since you want to escape the single quotation marks of expr, and the direct flyer quotation marks will be encoded by html entities, you can use ognlutil Compile parsing unicode

Keywords: security Cyber Security penetration test Web Security security hole

Added by romeo on Sat, 15 Jan 2022 02:27:52 +0200