Unauthenticated RCE in Atlassian Confluence Data Center and Server

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository is an automated exploit tool targeting Atlassian Confluence servers vulnerable to CVE-2023-22527 (versions prior to 8.5.4). The main script, 'atlassianpwn.py', serves as the entry point and orchestrates the exploitation process. It takes user-supplied arguments for the target URL, attacker's host (LHOST), and port (LPORT). The tool first checks if the target is running a vulnerable version of Confluence by querying the '/login.action' endpoint. If vulnerable, it sends a crafted payload to the '/template/aui/email/velocity.vm' endpoint to trigger remote code execution, resulting in a reverse shell to the attacker's machine. If the version check fails, it attempts a blind OGNL injection via the root endpoint. The payloads are implemented in Python and generate bash reverse shell commands. The repository is structured into a main script, a module for exploitation logic, and a payload generator. No hardcoded endpoints or IPs are present; all targets are user-supplied at runtime. The exploit is operational and provides a working reverse shell if successful.

This repository provides a working proof-of-concept exploit for CVE-2023-22527, a critical remote code execution (RCE) vulnerability in Atlassian Confluence Data Center and Server. The main exploit script (CVE-2023-22527.py) is a Python program that sends a specially crafted POST request to the vulnerable /template/aui/text-inline.vm endpoint on a target Confluence server. The payload leverages a server-side template injection (SSTI) and OGNL injection to execute arbitrary system commands via the freemarker.template.utility.Execute class, with the command output returned in the X-Cmd-Response HTTP header. The repository includes a README with detailed references, a docker-compose.yml for setting up a vulnerable environment (Confluence 8.5.3 and Postgres), and a stack trace file (all-stack.txt) showing the vulnerable code path. The exploit is operational and allows the attacker to specify any command to run on the target system. The main fingerprintable endpoint is /template/aui/text-inline.vm, and the exploit is network-based, requiring HTTP access to the target. The repository is well-structured for both testing and exploitation purposes.

This repository provides a working exploit for CVE-2023-22527, a critical unauthenticated remote code execution (RCE) vulnerability affecting Atlassian Confluence Data Center and Server versions 8.0.x through 8.5.3. The repository contains three files: a Python exploit script (CVE-2023-22527.py), a YAML file (CVE-2023-22527.yaml) likely for use with automated scanners (e.g., Nuclei), and a README.md with vulnerability details and usage instructions. The Python script fingerprints the target Confluence instance to determine its version, checks if it is vulnerable, and then sends a crafted POST request to the /template/aui/text-inline.vm endpoint. The payload leverages a template injection to execute arbitrary system commands on the server, returning the output in a custom HTTP response header. The YAML file describes the same attack in a format suitable for automated vulnerability scanning. The exploit is unauthenticated and requires only network access to the vulnerable endpoint. No hardcoded IPs or domains are present; the exploit is generic and targets any vulnerable Confluence instance. The repository is operational, providing a real-world exploit with customizable command execution.

This repository provides a Python-based exploit tool targeting Atlassian Confluence Server/Data Center instances vulnerable to CVE-2023-22527, a remote code execution (RCE) vulnerability. The main file, 'exploit.py', is a command-line tool that allows the user to specify a single domain or a list of domains to test and exploit. The tool sends a specially crafted HTTP POST request to the '/template/aui/text-inline.vm' endpoint on the target, exploiting an OGNL injection vulnerability via Freemarker templates. If successful, the exploit executes arbitrary system commands on the target server, with the output returned in the 'X-Cmd-Response' HTTP header. The tool supports concurrency, proxying (e.g., through Burp Suite), and output to a file. The repository also includes a 'requirements.txt' for dependencies and a README with usage instructions. The exploit is operational and proven to work against vulnerable instances, as evidenced by the included proof-of-exploitation video. No hardcoded IPs or domains are present; the tool is designed for user-supplied targets.

This repository is a Java-based exploit for Atlassian Confluence CVE-2023-22527, specifically targeting version 8.5.3 as referenced in the README. The exploit is implemented in the 'src/main/Main.java' file, which serves as the entry point. It allows the user to inject either a Behinder or Godzilla memory shell (webshell) into a vulnerable Confluence instance by exploiting an OGNL injection vulnerability. The exploit works by sending specially crafted POST requests to the '/template/aui/text-inline.vm' endpoint on the target server, using payloads defined in 'initpayload.txt', 'label.txt', and 'poc.txt'. The memory shell classes are defined in 'src/main/MemShell/BehinderMemShell.java' and 'src/main/MemShell/GodzillaMemShell.java'. The exploit supports the use of an HTTP proxy and custom passwords/keys for the webshells. If successful, the attacker gains persistent remote code execution via the injected webshell, which resides in memory and is not written to disk. The repository is operational and provides a working exploit with customizable payloads, but is not part of a larger exploitation framework.

This repository provides three operational exploits for CVE-2023-22527, a critical remote code execution vulnerability in Atlassian Confluence Data Center and Server (versions 8.0.0-8.5.3). The repository is organized into three subdirectories: 'webshell', 'reverseshell', and 'nashorn', each containing a Go-based exploit that leverages OGNL injection via the '/template/aui/text-inline.vm' endpoint. The 'webshell' variant injects a Java class into memory, exposing a webshell accessible via a custom HTTP parameter. The 'reverseshell' variant injects a Java class that establishes a reverse shell to the attacker's host. The 'nashorn' variant uses the Nashorn JavaScript engine (for Java <15) to fetch and execute a JavaScript-based reverse shell payload. All exploits are designed to avoid touching disk on the target, operating entirely in memory. The repository includes Dockerfiles and Makefiles for building and running the exploits, and each variant is accompanied by detailed usage instructions and example output. The main attack vector is network-based, requiring access to the vulnerable Confluence instance over HTTP(S). The exploits are mature, operational, and provide full remote code execution capabilities.

This repository provides a working exploit for CVE-2023-22527, a remote code execution vulnerability affecting Atlassian Confluence Data Center and Server versions 8.0.x through 8.5.3. The exploit is implemented in Go (main.go) and can be compiled into a Windows executable (cve-2023-22527.exe). The exploit works by sending a specially crafted POST request to the /template/aui/text-inline.vm endpoint on the target Confluence server, leveraging OGNL injection and FreeMarker's Execute utility to run arbitrary system commands. The output of the executed command is returned in the 'Cmd' HTTP header of the response. The tool provides an interactive shell-like interface, allowing the attacker to execute multiple commands in sequence. The README.md provides usage instructions, affected product versions, and references to the official advisory. No hardcoded IPs or domains are present; the target is specified via command-line arguments. The repository is focused and contains only the exploit code, build instructions, and dependency files.

This repository contains a working proof-of-concept exploit for CVE-2023-22527, a remote code execution vulnerability in Atlassian Confluence. The main exploit file, 'exploit-CVE-2023-22527.js', is written in JavaScript and intended to be run with the Bun runtime. The exploit takes command-line arguments specifying the target Confluence server, the attacker's host and port for a reverse shell, and an optional command to execute. It works by sending crafted POST requests to the vulnerable '/template/aui/text-inline.vm' endpoint on the target, writing a shell script to '/tmp/a' in chunks, and then executing it using FreeMarker's Execute utility. By default, the payload opens a reverse shell to the attacker's specified host and port. The README provides clear usage instructions, including setting up ngrok and netcat for receiving the shell. The exploit is operational and can be used to achieve remote code execution on vulnerable Confluence instances.

This repository provides a proof-of-concept exploit for CVE-2023-22527, a critical remote code execution (RCE) vulnerability in Atlassian Confluence Data Center and Server (versions 8.0.x through 8.5.3). The exploit leverages a server-side template injection (SSTI) in the FreeMarker engine, allowing attackers to execute arbitrary system commands on the target server via the /template/aui/text-inline.vm endpoint. The main exploit script (CVE-2023-22527.py) is written in Python and supports single command execution, environment variable retrieval, and an interactive shell mode. The repository also includes a README.md with detailed usage instructions, payload examples, affected versions, and references, as well as a docker-compose.yml for setting up a vulnerable test environment. The exploit is network-based and targets HTTP endpoints exposed by vulnerable Confluence instances.

This repository provides a proof-of-concept (PoC) exploit for CVE-2023-22527, a critical remote code execution vulnerability affecting Atlassian Confluence Data Center and Server. The repository contains two files: a README.md briefly describing the CVE, and PoC.txt, which contains a raw HTTP POST request. The request targets the /template/aui/text-inline.vm endpoint on a Confluence server and injects a payload via the 'label' and 'poc' parameters. The payload leverages OGNL and FreeMarker template injection to execute the 'whoami' command on the server, returning the result in a custom HTTP header ('Cmd-Ret'). The exploit demonstrates remote command execution but does not provide a full exploit framework or automation script. The main fingerprintable endpoint is the HTTP URL and IP address specified in the PoC. The exploit is a minimal, manual PoC suitable for demonstrating the vulnerability.

This repository is an exploit for CVE-2023-22527, a critical OGNL injection vulnerability in Atlassian Confluence (tested on version 8.5.1). The exploit is implemented in Java and consists of several key files: - `src/main/Main.java`: The main entry point, which takes the target URL, a password, and a key as arguments. It constructs and sends crafted POST requests to the vulnerable endpoint (`/template/aui/text-inline.vm`) to inject a memory-resident webshell (Godzilla memshell) into the target's JVM. - `src/main/ConfluenceFilterMemshell.java`: Implements the memory shell, which is injected into the target process. It uses Java reflection and dynamic class loading to establish a backdoor accessible via the Godzilla webshell client, protected by the provided password and key. - `src/main/MiTM.java`: Handles SSL/TLS trust management to allow the exploit to work against HTTPS targets by trusting all certificates. - `src/main/initpayload.txt`, `label.txt`, `poc.txt`: Contain OGNL payload templates and expressions used to trigger the vulnerability and deliver the memory shell. The exploit works by sending a sequence of POST requests with specially crafted OGNL expressions to the vulnerable endpoint, resulting in the injection of a Java class (the memory shell) into the target's memory. If successful, the attacker can interact with the webshell using the Godzilla client, enabling remote code execution and persistence without writing files to disk. The exploit is operational and provides a working payload, but is not part of a larger framework. The only fingerprintable endpoint is the vulnerable Confluence path `/template/aui/text-inline.vm`, which is targeted for payload delivery. The exploit is network-based and requires access to the target's HTTP(S) interface.

This repository is a Python-based exploit toolkit targeting multiple remote code execution (RCE) vulnerabilities in Atlassian Confluence: CVE-2021-26084, CVE-2022-26134, and CVE-2023-22527. The structure includes a GUI (gui/gui.py) for user interaction, a main entry point (main.py), and individual proof-of-concept (POC) scripts for each CVE under the pocs/ directory. The tool allows users to check for vulnerability, execute arbitrary commands, and obtain reverse shells on vulnerable Confluence servers. It supports both HTTP and SOCKS5 proxies for network operations. Additional utility scripts are provided for proxy checking and DNS log operations. The exploit payloads leverage OGNL and template injection vulnerabilities to achieve command execution. The endpoints targeted are specific Confluence paths known to be vulnerable. The toolkit is operational, providing both detection and exploitation capabilities, and is suitable for security testing and red teaming against affected Confluence instances.