总结
使用@是为了 绕过受影响Jira中的startsWith的检查,然后实际发送请求的时候,会解析出@后面的host发送请求,所以可以利用成功。
补丁的方式就是开始检查的时候就用java.net.Uri#getHost,getPort 把@之后的host,port解析出来,若不满足白名单,则禁止。
杂
开始一直没找到这个接口是在哪里调用的,后来偶然看了一下burp才知道,他的referer是:
http://cqq.com:8091/plugins/servlet/gadgets/ifr?container=atlassian&mid=10003&country=US&lang=en&view=default&view-params=%7B%22writable%22%3A%22false%22%7D&st=atlassian%3AFmIezwWusKOMH2odogC%2BuQhewJC%2BygbVLECizFA3LIMzbUGQ0ET%2Flbw41I9mU3S5udNqtNO9O%2Fh3%2BwjbB7Lg5BuvzTBPDPoajat3pqH7GEj3eUxTP6D%2Fv637ASRRtPej3fHZYK3N%2FkYvTyV8oJT1x333hzxPYYrKnNAKDvjtEF%2FZTLXLrjC4Yo2neP0%2Bjwlvkq0Pf2fLpVn9zUUEqTAzA8FBngGEcGL64t0qEoulxRJLDhg%2FFH0g%2Bh03q5BQ3cG9kC108GqCLcNIMg8tIRgkykPCNOWCelLZ5r5B9MQnvtH8L90VpasngQI5FZp%2BKCOAy4JuUg%3D%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Your+Company+Jira&up_titleRequired=true&up_numofentries=5&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=__all_projects__&up_itemKeys=&up_username=&url=http%3A%2F%2Fcqq.com%3A8091%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%3Aactivitystream-gadget%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh
也就是说是/plugins/servlet/gadgets/ifr这个请求之后发的。
完整的包是这样:
POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: cqq.com:8091
Content-Length: 2001
Origin: http://cqq.com:8091
X-Atlassian-Token: no-check
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3909.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cqq.com:8091/plugins/servlet/gadgets/ifr?container=atlassian&mid=10003&country=US&lang=en&view=default&view-params=%7B%22writable%22%3A%22false%22%7D&st=atlassian%3AFmIezwWusKOMH2odogC%2BuQhewJC%2BygbVLECizFA3LIMzbUGQ0ET%2Flbw41I9mU3S5udNqtNO9O%2Fh3%2BwjbB7Lg5BuvzTBPDPoajat3pqH7GEj3eUxTP6D%2Fv637ASRRtPej3fHZYK3N%2FkYvTyV8oJT1x333hzxPYYrKnNAKDvjtEF%2FZTLXLrjC4Yo2neP0%2Bjwlvkq0Pf2fLpVn9zUUEqTAzA8FBngGEcGL64t0qEoulxRJLDhg%2FFH0g%2Bh03q5BQ3cG9kC108GqCLcNIMg8tIRgkykPCNOWCelLZ5r5B9MQnvtH8L90VpasngQI5FZp%2BKCOAy4JuUg%3D%3D&up_isConfigured=true&up_isReallyConfigured=false&up_title=Your+Company+Jira&up_titleRequired=true&up_numofentries=5&up_refresh=false&up_maxProviderLabelCharacters=50&up_rules=&up_renderingContext=&up_keys=__all_projects__&up_itemKeys=&up_username=&url=http%3A%2F%2Fcqq.com%3A8091%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%3Aactivitystream-gadget%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; pgv_pvid=2487547493; ts_uid=9932210140; crowd.token_key=aqwsub3Qcpf0j7PKsoZElQ00; confluence.list.pages.cookie=list-content-tree; confluence.last-web-item-clicked=system.space.tools%2Fcontenttools%2Fspace-templates-2; NX-ANTI-CSRF-TOKEN=be149fbb-ef8f-4f53-99f1-fff763bb9b2d; jira.editor.user.mode=wysiwyg; confluence.browse.space.cookie=space-blogposts; NXSESSIONID=69f4ceb5-09c1-4bdb-a470-087afc85db0f; BITBUCKETSESSIONID=A1FE3DBE0029CEBCB447F8BDE4249D11; JSESSIONID=86203E4AE3050E0C23EC88E96B450D90; atlassian.xsrf.token=B85A-ERZU-GFGH-8E83_2c6fc841af39e2ecefb555837fd12b94d6f5a155_lin
Connection: close
url=http%3A%2F%2Fcqq.com%3A8091%2Frest%2FwebResources%2F1.0%2Fresources&httpMethod=POST&headers=Accept%3Dapplication%252Fjson%252C%2520text%252Fjavascript%252C*%252F*%253Bq%253D0.01%26Content-Type%3Dapplication%252Fx-www-form-urlencoded%26X-Atlassian-Token%3Dno-check&postData=%7B%22r%22%3A%5B%5D%2C%22c%22%3A%5B%22browser-metrics-plugin.contrib%22%5D%2C%22xc%22%3A%5B%22jira.webresources%3Aalmond%22%2C%22jira.webresources%3Aaui-core-amd-shim%22%2C%22jira.webresources%3Ajira-metadata%22%2C%22jira.webresources%3Ajquery-livestamp%22%2C%22com.atlassian.analytics.analytics-client%3Ajs-events%22%2C%22com.atlassian.gadgets.publisher%3Aajs-gadgets%22%2C%22com.atlassian.streams%3AstreamsGadgetResources%22%2C%22com.atlassian.auiplugin%3Aajs-underscorejs%22%2C%22com.atlassian.plugins.browser.metrics.browser-metrics-plugin%3Aapi%22%5D%2C%22xr%22%3A%5B%22jira.webresources%3Aicons%22%2C%22jira.webresources%3Alist-styles%22%2C%22jira.webresources%3Ainline-layer%22%2C%22jira.webresources%3Adropdown%22%2C%22com.atlassian.auiplugin%3Asplit_aui.pattern.lozenge%22%2C%22com.atlassian.auiplugin%3Asplit_aui.splitchunk.vendors--23f50a6f00%22%2C%22com.atlassian.auiplugin%3Asplit_aui.splitchunk.23f50a6f00%22%2C%22com.atlassian.plugins.issue-status-plugin%3Aissue-status-resources%22%2C%22com.atlassian.auiplugin%3Asplit_aui.splitchunk.c45b2e0bc3%22%2C%22jira.webresources%3Afrother-queryable-dropdown-select%22%2C%22jira.webresources%3Afrother-singleselect%22%2C%22jira.webresources%3Afrother-multiselect%22%2C%22jira.webresources%3Afrother-checkbox-multiselect%22%2C%22jira.webresources%3Aselect-pickers%22%2C%22jira.webresources%3Aautocomplete%22%2C%22com.atlassian.jira.gadgets%3Acore-gadget-resources%22%5D%7D&authz=&st=&contentType=JSON&numEntries=3&getSummaries=false&signOwner=true&signViewer=true&gadget=http%3A%2F%2Fcqq.com%3A8091%2Frest%2Fgadgets%2F1.0%2Fg%2Fcom.atlassian.streams.streams-jira-plugin%3Aactivitystream-gadget%2Fgadgets%2Factivitystream-gadget.xml&container=atlassian&bypassSpecCache=
url解码之后是这样:
url=http://cqq.com:8091/rest/webResources/1.0/resources&httpMethod=POST&headers=Accept=application%2Fjson%2C%20text%2Fjavascript%2C*%2F*%3Bq%3D0.01&Content-Type=application%2Fx-www-form-urlencoded&X-Atlassian-Token=no-check&postData={"r":[],"c":["browser-metrics-plugin.contrib"],"xc":["jira.webresources:almond","jira.webresources:aui-core-amd-shim","jira.webresources:jira-metadata","jira.webresources:jquery-livestamp","com.atlassian.analytics.analytics-client:js-events","com.atlassian.gadgets.publisher:ajs-gadgets","com.atlassian.streams:streamsGadgetResources","com.atlassian.auiplugin:ajs-underscorejs","com.atlassian.plugins.browser.metrics.browser-metrics-plugin:api"],"xr":["jira.webresources:icons","jira.webresources:list-styles","jira.webresources:inline-layer","jira.webresources:dropdown","com.atlassian.auiplugin:split_aui.pattern.lozenge","com.atlassian.auiplugin:split_aui.splitchunk.vendors--23f50a6f00","com.atlassian.auiplugin:split_aui.splitchunk.23f50a6f00","com.atlassian.plugins.issue-status-plugin:issue-status-resources","com.atlassian.auiplugin:split_aui.splitchunk.c45b2e0bc3","jira.webresources:frother-queryable-dropdown-select","jira.webresources:frother-singleselect","jira.webresources:frother-multiselect","jira.webresources:frother-checkbox-multiselect","jira.webresources:select-pickers","jira.webresources:autocomplete","com.atlassian.jira.gadgets:core-gadget-resources"]}&authz=&st=&contentType=JSON&numEntries=3&getSummaries=false&signOwner=true&signViewer=true&gadget=http://cqq.com:8091/rest/gadgets/1.0/g/com.atlassian.streams.streams-jira-plugin:activitystream-gadget/gadgets/activitystream-gadget.xml&container=atlassian&bypassSpecCache=
版权声明:本文为caiqiiqi原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。