On June 02, 2022, Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity of unauthenticated remote code execution vulnerability.
The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance and is currently being exploited by a specific threat actor. in order to bring value to our customers and help them test and verify their systems are secure against it our research team rushed to release a purple team module for that specific reason.
You can find it under the following name: Confluence Pre-Auth Remote Code Execution via OGNL Injection(CVE-2022-26134)
The execution expects two input arguments:
Hostname : the vulnerable host to check
Command : the command we would like to run if the host is found to be vulnerable (defaults to whoami which will print the current running username.)