Atlassian Confluence Server and Data Center OGNL Injection RCE

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

Repository contains a single operational Python exploit script for Atlassian Confluence OGNL injection RCE (CVE-2022-26134), plus a README and requirements.txt. Structure & purpose: - README.md: Describes the vulnerability, credits inspiration, and shows usage examples for command execution, file read, and reverse shell. - cve-2022-26134.py: Main exploit. Builds OGNL payloads that leverage Confluence’s OGNL injection to call ServletActionContext.getResponse().setHeader(...) and trigger javax.script.ScriptEngineManager with the Nashorn engine to execute either a ProcessBuilder (bash -c ...) or Java file read + socket exfil. - requirements.txt: requests, beautifulsoup4. Key capabilities: - Unauthenticated network RCE via HTTP GET where the OGNL expression is embedded as a URL path segment (urljoin(base_url, quote(payload)) + '/'). - Command execution mode (-c/--command): base64-encodes the command, decodes on target, executes via chosen shell (default bash). Output is sent back to attacker over a TCP connection to LHOST:LPORT (or printed locally if the script opens its own listener). - File read mode (-f/--readfile): reads arbitrary target file using java.nio.file APIs and sends contents to attacker via java.net.Socket. - Reverse shell mode (-r/--revshell): uses bash /dev/tcp redirection to connect back and attach sh. - Preliminary vuln check (default on): requests /login.action, verifies page contains “atlassian”, parses #footer-build-information version string, and checks it against known vulnerable version ranges. Operational details: - If LPORT is omitted/0 for command/file-read, the script binds a local TCP listener on LHOST with an ephemeral port, triggers the exploit, then accepts a single inbound connection and prints received data. - For reverse shell, default LPORT is 4444 if not provided. - Supports “Metasploit-style” interface name for LHOST (e.g., tun0) by resolving local interface IPs via ioctl(SIOCGIFCONF).

This repository contains a Go-based exploit for CVE-2022-26134, a critical unauthenticated OGNL injection vulnerability in Atlassian Confluence Server/Data Center. The exploit automates the process of gaining remote code execution by: 1. Detecting the attacker's IP address and prompting for the target's IP and port. 2. Generating a bash reverse shell payload (shell.sh) that connects back to the attacker's machine on TCP port 4444. 3. Starting a local HTTP server on port 8000 to serve the payload and a TCP listener on port 4444 to receive the reverse shell. 4. Sending three crafted OGNL injection payloads to the target Confluence server: - The first downloads the shell script from the attacker's HTTP server to /tmp/s.sh on the target. - The second sets the script as executable. - The third executes the script, causing the target to connect back to the attacker's listener. The exploit is interactive, requiring the user to input the target's IP and port, and is operational with a working reverse shell payload. The README provides detailed usage instructions, supported versions, and technical details. The code is self-contained in a single Go file, with supporting documentation and license files.

This repository is a Go-based exploit framework for CVE-2022-26134, a critical unauthenticated OGNL injection vulnerability in Atlassian Confluence Server/Data Center. The repository contains three files: a LICENSE, a detailed README.md, and the main exploit code in main.go. The exploit automates the attack chain: it generates a bash reverse shell payload (shell.sh), serves it via an HTTP server on port 8000, and launches a TCP listener on port 4444 to catch the reverse shell. The attacker is prompted for their own IP, the target's IP, and the target's port. The exploit then sends three OGNL injection payloads to the target: one to download the shell script, one to make it executable, and one to execute it, resulting in a reverse shell connection back to the attacker. The exploit is operational and provides a working reverse shell if the target is vulnerable. The code is cleanly structured, with clear separation of payload generation, HTTP serving, listener setup, and payload delivery. The README provides comprehensive usage instructions, technical details, and a list of vulnerable Confluence versions.

This repository provides two full-featured Python exploits (exploit.py and exploit26134_pro.py) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Atlassian Confluence Server. Both scripts exploit an OGNL injection flaw to execute arbitrary system commands on the target server. The main capabilities include: - Arbitrary command execution via OGNL injection - Interactive pseudo-shell for ongoing command execution - Reverse shell establishment (bash, python, mkfifo methods), with auto-detection of open outbound ports - File upload to the target using base64 encoding - Log cleaning to remove evidence of exploitation - Output logging to a local file (exploit_log.txt) The 'exploit26134_pro.py' script adds advanced features such as batch exploitation of multiple targets, stealth mode (using X-Forwarded-For header and POST requests), proxy support, JSON output, and optional base64 encoding of payloads to bypass WAFs. It also includes a version check mode to identify Confluence versions without exploitation. Both scripts require only the target URL and do not require authentication. The attack vector is network-based, targeting the HTTP(S) interface of Confluence. The scripts interact with endpoints such as '/login.action' for version checking and inject payloads directly into the URL path. File system paths such as '/opt/atlassian/confluence/logs/*' and '/tmp/encoded.b64' are used for log cleaning and file upload, respectively. Overall, this repository provides operational-level, ready-to-use exploits for CVE-2022-26134, suitable for both single-target and mass exploitation scenarios.

This repository contains a Python exploit for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Atlassian Confluence Server and Data Center (versions <= 7.18.1). The main exploit script, 'CVE-2022-26134.py', allows an attacker to execute arbitrary system commands on a vulnerable Confluence instance by sending a specially crafted OGNL injection payload via a GET request. The script first checks the target's version by accessing the '/login.action' endpoint, then delivers the payload and retrieves the command output from the 'X-Cmd-Response' HTTP header if the exploit is successful. The repository includes a README with usage instructions and references, a requirements.txt for dependencies, and a .gitignore. The exploit is operational and does not require authentication, making it highly dangerous if used against exposed and unpatched Confluence servers.

This repository contains a single Python exploit script ('through_the_wire.py') targeting Atlassian Confluence Server/Data Center OGNL injection vulnerability CVE-2022-26134. The exploit allows an attacker to either obtain a reverse shell or exfiltrate arbitrary files from a vulnerable Confluence instance by sending a specially crafted OGNL payload via a URL. The script is command-line driven, requiring the attacker to specify the target host, port, protocol, and desired action (reverse shell or file read). The exploit is designed for Linux targets and was tested on Confluence 7.13.6 LTS and 7.18.0. The README provides detailed usage instructions and example outputs. No detection or scanning functionality is present; the script is a direct exploit. The only code file is 'through_the_wire.py', and the rest of the repository consists of documentation and license files.

This repository contains a Python proof-of-concept exploit for CVE-2022-26134, an OGNL injection vulnerability in Atlassian Confluence that allows unauthenticated remote code execution. The repository consists of two files: a README.md with usage instructions and a single exploit script (exploit.py). The exploit.py script takes a target Confluence URL as an argument, checks the version by accessing the /login.action endpoint, and prompts the user to confirm if the version is vulnerable. If confirmed, it enters a loop where the user can input arbitrary system commands, which are executed on the target server via a crafted OGNL injection in the URL path. The output of the command is returned in a custom HTTP header (X-Qualys-Response) and displayed to the user. The exploit targets multiple vulnerable Confluence versions and requires only network access to the web interface. The code is operational and provides interactive command execution, making it a practical tool for exploitation and post-exploitation activities.

This repository contains a Python proof-of-concept exploit for CVE-2022-26134, an unauthenticated remote code execution vulnerability in Atlassian Confluence Server and Data Center (version 7.18 and lower, except patched versions). The main exploit script, 'cve-2022-26134.py', allows the user to specify a target Confluence server (or a file containing a list of targets) and an optional command to execute (default is 'whoami'). The script first checks the target's version by accessing the '/login.action' endpoint, then attempts to exploit the OGNL injection vulnerability by sending a specially crafted payload in the URL. If successful, the output of the executed command is returned in the 'X-Cmd-Response' HTTP header. The repository includes a README with usage instructions, a requirements.txt for dependencies, and standard project files. No hardcoded IPs or domains are present; the script is designed to be used against user-supplied targets. The exploit is a functional POC and does not include advanced features such as payload customization or post-exploitation modules.

This repository contains a Python exploit script (CVE-2022-26134.py) targeting the critical unauthenticated remote code execution vulnerability (CVE-2022-26134) in Atlassian Confluence Server and Data Center. The exploit works by sending a specially crafted OGNL injection payload in the URL path, which is interpreted by the vulnerable Confluence instance, allowing arbitrary system command execution as the server user. The script first attempts to determine the Confluence version by scraping the login page, then delivers the payload and retrieves the command output from a custom HTTP header. The repository includes a README with usage instructions, a requirements.txt for dependencies (bs4, requests, urllib3), and standard project files. The exploit is operational, allowing attackers to execute arbitrary commands remotely without authentication, provided the target is vulnerable and accessible over the network.

This repository is an exploit for Atlassian Confluence CVE-2022-26134, a critical unauthenticated remote code execution vulnerability. The exploit is implemented in Java and consists of several files: - `src/main/Main.java`: The main exploit logic. It takes a target URL, a password, and a key as arguments. It crafts a malicious OGNL payload that is sent to the target Confluence server, exploiting the vulnerability to execute arbitrary code. - `src/main/1.js`: A JavaScript payload used to dynamically load a Java class (the memory shell) into the target's JVM via OGNL injection. - `src/main/MemShell.java`: The memory-resident webshell that is injected into the target. It is compatible with the Godzilla webshell client and allows persistent remote code execution, protected by the supplied password and key. - `src/main/MiTM.java`: A helper class to disable SSL certificate validation, allowing the exploit to work against HTTPS targets with self-signed or invalid certificates. - `README.md`: Provides usage instructions and example commands, including a sample target URL and how to connect to the injected webshell using Godzilla. The exploit's main capability is to inject a Godzilla-compatible memory webshell into a vulnerable Confluence server, granting the attacker persistent and stealthy remote access. The exploit is operational and provides a working payload, but is not part of a larger exploitation framework. The attack vector is network-based, targeting HTTP(S) endpoints. The repository is well-structured, with clear separation between the exploit logic, payload, and helper utilities.

This repository provides an operational exploit for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Atlassian Confluence Server and Data Center. The main exploit script, 'confluence-exploit.py', is a Python 3 tool that takes a target Confluence base URL and provides an interactive shell-like prompt to execute arbitrary system commands on the vulnerable server. The exploit works by injecting a crafted OGNL payload into the URL path, which is processed by the vulnerable Confluence instance, resulting in command execution. The output of the command is returned in a custom HTTP header ('X-Cmd-Response'). The repository also includes 'start_confluence.sh', a Bash script to help users set up a vulnerable Confluence environment using Docker, fetching the necessary Docker Compose file from the Vulhub project. This script is intended for local lab setup and testing of the exploit. No hardcoded IP addresses or credentials are present, but the README and scripts reference the default local test instance at 'http://127.0.0.1:8090'. The exploit is not part of a larger framework and is self-contained. The code is mature enough for operational use, providing a working interactive RCE shell against vulnerable targets.

This repository provides an operational exploit for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Atlassian Confluence. The main exploit script (CVE-2022-26134.py) takes a list of target IPs and a command, then attempts to exploit each target by sending a specially crafted OGNL payload via an HTTP GET request. If the target is vulnerable, the command is executed on the server and the output is returned in a custom HTTP header. The script also includes a function to check the Confluence version by scraping the login page. The repository includes a helper script (shodan_script.py) to automate the collection of potential target IPs using Shodan search queries (dorks), and a README.md with usage instructions and relevant Shodan dorks for identifying Confluence servers. The exploit is network-based, requires no authentication, and targets both Linux and Windows Confluence deployments. No hardcoded endpoints or credentials are present, but the exploit is designed to be used with lists of discovered IPs. The payload is an OGNL expression injected via the URL path, enabling arbitrary command execution.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-26134, a critical unauthenticated remote code execution (RCE) vulnerability in Atlassian Confluence Server and Data Center. The repository contains two files: a README.md describing the vulnerability and a 'payload' file containing a raw HTTP request. The payload leverages an OGNL injection to execute the 'id' command on the target server, returning the output in a custom HTTP response header. The exploit is unauthenticated and targets a specific host and port (192.168.1.6:8090 in the example). The repository is a minimal PoC and does not include automation or advanced payloads.

This repository contains a Python exploit script (Confluence_cve_2022_26134_RCE.py) and a README.md for CVE-2022-26134, a critical remote code execution vulnerability in Atlassian Confluence. The exploit leverages an OGNL injection vulnerability to execute arbitrary system commands on the target server. The script first checks if the target is vulnerable by injecting an OGNL expression and looking for a custom HTTP header (X-Confluence) in the response. If vulnerable, it provides a pseudo-interactive shell, allowing the user to input commands, which are executed on the server and the output is returned via the same custom header, base64-decoded. The README provides usage instructions, tips for command execution on both Linux and Windows, and highlights the need to use shell wrappers or base64 encoding for complex commands. The exploit targets Confluence servers accessible over HTTP/HTTPS and is effective against both Linux and Windows platforms, provided they are vulnerable to CVE-2022-26134.

This repository contains 'ConfluentPwn', a Go-based scanner and exploit tool targeting Atlassian Confluence servers vulnerable to CVE-2022-26134 (pre-auth ONGL injection leading to remote code execution). The main entry point is 'main.go', which handles command-line arguments, concurrency, and orchestrates the scanning and exploitation process. The tool allows users to specify targets directly or via a file, customize the command to execute, and set output and matching options. The exploit works by sending a specially crafted ONGL payload in the URL, which, if the target is vulnerable, executes an arbitrary system command and returns the output in a custom HTTP header. The results are written to a CSV file. The codebase is cleanly structured with supporting files for HTTP utilities and CSV writing. No hardcoded IPs or domains are present, but the tool is designed to scan arbitrary user-supplied targets over HTTP/HTTPS. The repository is operational and provides a working exploit with customizable payloads, making it suitable for both vulnerability assessment and exploitation.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-26134, an unauthenticated OGNL injection vulnerability in Atlassian Confluence Server and Data Center. The repository contains three files: a LICENSE, a README.md with usage instructions and background, and the main exploit script 'cve-2022-26134.py'. The Python script takes a target Confluence URL and a system command as arguments. It first attempts to determine the Confluence version by accessing the '/login.action' page. If the target is potentially vulnerable, it crafts a malicious OGNL payload that is injected via a specially crafted HTTP GET request. This payload executes the specified system command on the server, and the output is returned in the 'X-Cmd-Response' HTTP header of the response. The exploit is a network-based remote code execution PoC and does not include post-exploitation features or advanced payload customization. The README provides clear usage instructions and references to official advisories. No hardcoded IPs, domains, or credentials are present; the script is designed for user-supplied targets.

This repository contains a Python proof-of-concept exploit for CVE-2022-26134, a critical pre-authentication remote code execution vulnerability in Atlassian Confluence. The repository consists of a README.md with usage instructions and a single exploit script (exploit.py). The exploit works by sending a specially crafted GET request to a vulnerable Confluence server, leveraging an OGNL injection to execute arbitrary system commands. The output of the command is returned in a custom HTTP header (X-Cmd-Response) if the exploit is successful. The script also attempts to fingerprint the Confluence version by accessing the /login.action page. No authentication is required, making this a high-impact exploit for vulnerable targets. The code is operational and can be used to execute arbitrary commands on affected Confluence servers.

The Serein repository is a comprehensive, multi-exploit framework written in Python, designed for automated, batch exploitation and verification of a wide range of n-day vulnerabilities (primarily RCE, file read, SQL injection, and authentication bypass) across various web applications, network devices, and platforms. The main entry point is Serein.py, which provides a GUI (using tkinter and ttkbootstrap) to manage and launch exploitation modules found in the 'exp/' directory. Each module targets a specific vulnerability, many of which are associated with well-known CVEs (e.g., CVE-2022-22954, CVE-2022-26134, CVE-2019-19781, etc.). The tool supports multi-threaded execution for high-speed scanning and exploitation, and integrates with internet-wide search engines (FOFA, Shodan, Hunter) for target acquisition. Users provide target URLs via input files (e.g., urls.txt, 修正后的url.txt), and results are saved to output files. The repository is operational and provides real exploitation capabilities, not just detection. It is intended for authorized security testing and red teaming, as emphasized in the README. The codebase is modular, with each exploit implemented as a separate Python script under 'exp/'. The repository is actively maintained (as of the last version update) and supports easy addition of new exploit modules.

This repository contains a Python exploit script (CVE-2022-26134.py) and a brief README for Atlassian Confluence OGNL injection vulnerability (CVE-2022-26134). The script targets Confluence servers vulnerable to this flaw, allowing remote code execution via a crafted OGNL payload in the URL path. The exploit sends a GET request with the payload, which executes the 'id' command on the server. If successful, the output is returned in the 'X-Cmd-Response' HTTP header and logged to 'res.txt'. The script supports both single-target and batch modes (via a file of URLs). The repository is straightforward, with the main exploit logic in a single Python file and usage instructions in the README.

This repository contains a Python exploit script (cve_2022_26134.py) and a README for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Atlassian Confluence Server. The exploit leverages an OGNL injection vulnerability by appending a specially crafted payload to the URL path of the target Confluence server. This payload causes the server to execute arbitrary system commands via Java's Runtime.getRuntime().exec(), and the output is returned in the X-Response HTTP header of the HTTP response. The script accepts the target URL and the command to execute as arguments, and works against both Linux and Windows targets. The README provides usage instructions and example commands. The repository is straightforward, with one exploit script and documentation, and is operational as it provides a working exploit with customizable command execution.

This repository contains a Python exploit (exploit.py) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Atlassian Confluence Server and Data Center. The exploit leverages an OGNL injection vulnerability to execute arbitrary system commands on the target server. The result of the command is returned in the 'X-Cmd-Response' HTTP header of the HTTP response. The script supports both single and multiple target exploitation, with options for threading, custom commands, and output file saving. The README.md provides usage instructions, example commands, and references. The exploit is operational and requires the target to be running a vulnerable version of Confluence and to be accessible over HTTP/S. No hardcoded endpoints are present; the user supplies the target URLs.

This repository contains a Python proof-of-concept exploit for CVE-2022-26134, an unauthenticated remote code execution vulnerability in Atlassian Confluence. The main file, 'cve-2022-26134.py', allows users to test single or multiple URLs for vulnerability. It crafts a malicious HTTP GET request with an OGNL injection payload that executes the 'id' command on the target server. If successful, the command output is returned in the 'X-Cmd-Response' HTTP header, and vulnerable hosts are logged to 're.txt'. The script supports both single-target and batch modes (via 'url.txt'). The repository also includes a brief readme and a standard Apache 2.0 license. The exploit demonstrates operational maturity, as it provides a working payload and automates vulnerability detection and exploitation.

This repository provides an operational exploit for CVE-2022-26134, a critical pre-authentication remote code execution vulnerability in Atlassian Confluence. The main exploit script (exploit.py) allows an attacker to execute arbitrary commands or spawn a reverse shell on a vulnerable Confluence server by exploiting an OGNL injection vulnerability. The script supports both single-target and mass exploitation via a file of URLs, and can output results to a file. The payload is delivered via a specially crafted URL path, leveraging Java's ProcessBuilder and Nashorn scripting engine for command execution or reverse shell. The repository also includes helper files for parsing Zoomeye results and provides Shodan/Zoomeye dorks to help identify potential targets. The exploit is operational and can be used for real-world attacks if the target is vulnerable and accessible over the network.

This repository provides a Python-based proof-of-concept exploit for CVE-2022-26134, a critical unauthenticated OGNL injection vulnerability in Atlassian Confluence Server and Data Center (versions after 1.3.0 and below 7.18.1). The exploit (cve-2022-26134.py) allows an attacker to execute arbitrary system commands on a vulnerable Confluence instance by injecting a specially crafted OGNL payload into the URL. The output of the command is returned in the X-Cmd-Response HTTP header of the server's response. The script checks the target's version by accessing the /login.action page and then sends the payload via a GET request. The repository includes a README with usage instructions, affected versions, mitigation guidance, and detection tips. The main entry point is cve-2022-26134.py, which requires Python 3.3+ and the requests, bs4, and urllib3 libraries. The attack vector is network-based, targeting accessible Confluence web servers. No fake or detection-only scripts are present; this is a functional exploit.

This repository is a Python-based exploit toolkit targeting multiple remote code execution (RCE) vulnerabilities in Atlassian Confluence: CVE-2021-26084, CVE-2022-26134, and CVE-2023-22527. The structure includes a GUI (gui/gui.py) for user interaction, a main entry point (main.py), and individual proof-of-concept (POC) scripts for each CVE under the pocs/ directory. The tool allows users to check for vulnerability, execute arbitrary commands, and obtain reverse shells on vulnerable Confluence servers. It supports both HTTP and SOCKS5 proxies for network operations. Additional utility scripts are provided for proxy checking and DNS log operations. The exploit payloads leverage OGNL and template injection vulnerabilities to achieve command execution. The endpoints targeted are specific Confluence paths known to be vulnerable. The toolkit is operational, providing both detection and exploitation capabilities, and is suitable for security testing and red teaming against affected Confluence instances.

This repository contains a single Python exploit script (cve-2022-26134.py) and a README. The exploit is a Proof-of-Concept (PoC) for CVE-2022-26134, a critical remote code execution vulnerability in Atlassian Confluence. The script is written as a pocsuite3 PoC module, leveraging the pocsuite3 framework for vulnerability testing. The exploit works by sending a specially crafted HTTP GET request to a vulnerable Confluence server, injecting an OGNL expression that executes the 'id' command on the server. The output of the command is returned in the 'X-Cmd-Response' HTTP header if the target is vulnerable. The README provides installation and usage instructions, emphasizing the need for pocsuite3 and Python 3.7+. No hardcoded IPs or domains are present, but the exploit targets user-supplied URLs. The repository is structured for use with pocsuite3 and is intended for security testing and demonstration purposes.