Confluence Server OGNL Injection
Our own wvu along with Jang added a module that exploits an OGNL injection (CVE-2021-26804)in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and Confluence Data Center and is actively being exploited in the wild. Initial discovery of this exploit was by Benny Jacob (SnowyOwl).
In addition to the module, we would like to highlight some of the enhancements that have been added for this release. Contributor e2002e added the
DATABASE options to the
zoomeye_search module allowing users to save results to a local file or local database along with improving the output of the module to provide better information about the target. Our own dwelch-r7 has added support for fully interactive shells against Linux environments with
shell -it. In order to use this functionality, users will have to enable the feature flag with
features set fully_interactive_shells true. Contributor pingport80 has added
powershell support for
write_file method that is binary safe and has also replaced explicit
cat calls with file reads from the file library to provide broader support.
New module content (1)
- Atlassian Confluence WebWork OGNL Injection by wvu, Benny Jacob, and Jang, which exploits CVE-2021-26084 - This adds an exploit module targeting an OGNL injection vulnerability (CVE-2021-26084) in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.
Enhancements and features
- #15278 from e2002e - The
zoomeye_searchmodule has been enhanced to add the
DATABASEoptions, which allow users to save results to a local file or to the local database respectively. Additionally the output saved has been improved to provide better information about the target and additional error handling has been added to better handle potential edge cases.
- #15522 from dwelch-r7 - Adds support for fully interactive shells against Linux environments with
shell -it. This functionality is behind a feature flag and can be enabled with
features set fully_interactive_shells true
- #15560 from pingport80 - This PR add powershell support for write_file method that is binary safe.
- #15627 from pingport80 - This PR removes explicit
catcalls and replaces them with file reads from the file library so that they have broader support.
- #15634 from maikthulhu - This PR fixes an issue in
exploit/multi/misc/erlang_cookie_rcewhere a missing bitwise flag caused the exploit to fail in some circumstances.
- #15636 from adfoster-r7 - Fixes a regression in datastore serialization that caused some event processing to fail.
- #15637 from adfoster-r7 - Fixes a regression issue were Metasploit incorrectly marked ipv6 address as having an 'invalid protocol'
- #15639 from gwillcox-r7 - This fixes a bug in the
rename_filesmethod that would occur when run on a non-Windows shell session.
- #15640 from adfoster-r7 - Updates
modules/auxiliary/gather/office365userenum.pyto require python3
- #15652 from jmartin-r7 - A missing dependency,
py3-pip, was preventing certain external modules such as
auxiliary/gather/office365userenumfrom working due to
py3-pipto run properly. This has been fixed by updating the Docker container to install the missing
- #15654 from space-r7 - A bug has been fixed in
lib/msf/core/payload/windows/encrypted_reverse_tcp.rbwhereby a call to
recv()was not being passed the proper arguments to receive the full payload before returning. This could result in cases where only part of the payload was received before continuing, which would have resulted in a crash. This has been fixed by adding a flag to the
recv()function call to ensure it receives the entire payload before returning.
- #15655 from adfoster-r7 - This cleans up the MySQL client-side options that are used within the library code.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).