# ConfluentPwn
Confluence pre-auth ONGL injection remote code execution scanner (CVE-2022-26134).

## Usage
The below GIF shows a demo usage of the tool:


Here is the help output of the tool:
$ ./cfscan -h

  |    C O N F L U E N T P W N    |

[+] ConfluentPwn by RedHunt Labs - A Modern Attack Surface (ASM) Management Company
[+] Author: Pinaki Mondal (RHL Research Team)
[+] Continuously Track Your Attack Surface using

  -cmd string
        Command to execute on a vulnerable confluence server. (default "id")
  -file string
        Specify a file containing list of hosts to scan.
  -output string
        Output filepath to write the scan results into. (default "cfpwn-results.csv")
  -regex string
        Regex to match the response header for the command executed.
  -threads int
        Number of threads to use while scanning. (default 20)
  -timeout int
        HTTP timeout in seconds. (default 5)
  -user-agent string
        Custom user-agent string to use. (default "Mozilla/5.0 (ConfluentPwn) Chrome/95.0.4638.69 Safari/537.36")

  ./cfscan -file urls.txt
  ./cfscan -cmd 'nslookup'
  ./cfscan -cmd 'ps' -regex '^\s*PID\s*TTY\s*TIME\s*CMD'

### Specifying targets
Targets can be specified in two ways:
- Specifying URLs directly via command line.
    ./cfscan target1 target2 ...
- Specifying a file containing a list of URLs to scan using the `-file` argument.
    ./cfscan -file targets.txt

### Concurrency, timeouts and user-agents
Maximum number of concurrent targets to be processed can be controlled using the `-threads` argument. The default concurrency value is 20.

HTTP timeout value in seconds can be can be specified using the `-timeout` argument. The default timeout is set to 5 seconds.

Custom user-agent can be specified using the `-user-agent` flag, in-case the user wants to track UA strings in their logs.

### Output
The output generated is written to a CSV file, the destination of which can be specified using the `-output` flag. The default output file generated is `cfscan-results.csv`.

The output contains 4 columns:
- target
- confluence version
- vulnerability status
- command output

### Command Specification & Matching
The command to be run on a vulnerable server can be specified using the `-cmd` argument. A regular expression is specified to match the output of the command -- which can be mentioned using the `-regex` flag.

The default command which is run is the `id`, and the regex used to match the output of the command is `uid=\d+?\(\w+?\)\s*?gid=\d+?\(\w+?\)\s*groups=\d+?\(\w+?\)`.

Using the flags together looks like:
./cfscan -cmd 'id' -regex 'uid=\d+?\(\w+?\)\s*?gid=\d+?\(\w+?\)\s*groups=\d+?\(\w+?\)'
./cfscan -cmd 'ps' -regex '^\s*PID\s*TTY\s*TIME\s*CMD'

### Setting up a Test Environment
If you'd like to test out the tool or the vulnerability in general, then you can refer to this: [](

The installation process is quite simple, the below commands do the job:
$ mkdir confluentpwn && cd confluentpwn && wget
$ docker-compose up -d
The app should now be available at `http://localhost:8090`.

### License & Version
The tool is licensed under the MIT license. See [LICENSE](LICENSE).
Currently the tool is at v0.1.

### Credits
The Research Team at [RedHunt Labs]( would like to thank [vulhub]( for providing the docker test image.

##### **[`To know more about our Attack Surface Management platform, check out NVADR.`](**