CVE-2023-22527 PoC — Atlassian Confluence 安全漏洞

Source

https://github.com/MaanVader/CVE-2023-22527-POC

Associated Vulnerability

Title:Atlassian Confluence 安全漏洞 (CVE-2023-22527)
Description:A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

Description

Atlassian Confluence Remote Code Execution(RCE) Proof Of Concept

Readme

# CVE-2023-22527: Atlassian Confluence Vulnerability

## Introduction

The CVE-2023-22527 vulnerability is a critical security flaw in Atlassian Confluence, a widely used collaboration and documentation platform. This vulnerability exists in both Confluence Data Center and Confluence Server, which are versions of the platform designed for organizational use on self-hosted servers or cloud infrastructure.

### Vulnerability Details

- **Vulnerability Type**: OGNL (Object-Graph Navigation Language) Injection
- **CVSS Score**: 10.0 (Critical)
- **Affected Versions**:
  - Confluence Data Center and Server: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3

This vulnerability allows for unauthenticated remote code execution, making it possible for adversaries to exploit vulnerable Confluence instances. It's crucial for organizations to patch their systems as soon as possible, considering the high risk and the active exploitation attempts in the wild.

## Docker Setup for Testing

To facilitate testing and understanding of this vulnerability, a Docker setup is provided. The Docker configuration includes an instance of Atlassian Confluence Server `8.5.3`, which is vulnerable to CVE-2023-22527.


### Running the Docker Setup

1. Save the above configuration in a file named `docker-compose.yml`.
2. Run the Docker setup:
   ```bash
   docker-compose up
   ```
3. The Confluence instance will be accessible at `http://localhost:8090`.

## Exploit Script Usage

The exploit script is designed to test the CVE-2023-22527 vulnerability in Confluence instances.

### Running the Script

- **Single URL Mode**:
  ```bash
  python3 exploit.py -u http://<target-ip>:8090 -c "whoami"
  ```
- **File Mode** (for multiple IPs):
  ```bash
  python3 exploit.py -f ips.txt -c "whoami"
  ```
- **Interactive Shell Mode**:
  ```bash
  python3 exploit.py -u http://<target-ip>:8090 --shell
  ```

Type `exit` to leave the interactive shell.


## Disclaimer 🚨

This information is provided strictly for educational and research purposes only 📚. Testing the script should only be conducted on systems where explicit permission has been granted ✅. Unauthorized use of this script and information is illegal 🚫 and unethical 😠.

---

References:
1. [Atlassian Security Advisory](https://confluence.atlassian.com/security/)
2. [ShadowServer Report](https://www.shadowserver.org/)
3. [Tenable blog](https://www.tenable.com/blog/cve-2023-22527-atlassian-confluence-data-center-and-server-template-injection-exploited-in-the)

File Snapshot


 [4.0K]  /data/pocs/9e1ec1c21c0ff96d61e2165b62aae258e1a3d8d4
├── [ 430]  docker-compose.yml
├── [2.7K]  exploit.py
└── [2.5K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!