Broken Access Control in Atlassian Confluence Data Center and Server

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a Python exploit script (CVE-2023-22515.py) targeting Atlassian Confluence instances vulnerable to CVE-2023-22515 (versions 8.0.0 to 8.5.1). The script first checks if the target is vulnerable by sending a GET request to the /server-info.action endpoint with a specific query parameter. If the target is vulnerable, it proceeds to create a new administrator user with randomly generated credentials by sending POST requests to /setup/setupadministrator.action and /setup/finishsetup.action. The exploit provides the attacker with administrative access to the Confluence instance. The repository also includes a README.md file with usage instructions and affected versions. No hardcoded IPs or domains are present; the script requires the user to supply the target URL as an argument.

This repository provides an automated Python exploit for CVE-2023-22515, a critical privilege escalation vulnerability in Atlassian Confluence. The exploit script (exploit.py) is the main file and supports both single-target and mass exploitation modes. It works by first triggering the setup vulnerability via a crafted GET request, then sending a POST request to create a new admin account (username: adminxxyz, password: Admin@12345), and finally verifying successful authentication as the new admin. The script is multi-threaded for mass exploitation and outputs results to the console or a file. The README.md provides usage instructions and describes the exploit's features. The exploit targets Confluence instances accessible over HTTP(S) and affected by CVE-2023-22515. No hardcoded IPs or domains are present; the script takes user-supplied targets. The endpoints used are specific to Confluence's setup and REST API. The exploit is operational, providing a working privilege escalation payload.

This repository contains a Python exploit script (exploit.py) targeting CVE-2023-22515, a critical broken access control vulnerability in Atlassian Confluence Server and Data Center. The exploit works by first triggering a misconfigured setup endpoint, then submitting a POST request to create a new administrator account ('pleasepatch'/'Password2'), and finally verifying authentication as the new admin via the REST API. The script supports both single-target and mass exploitation modes, reading targets from a file if needed. Output is saved to a user-specified file. The code uses the 'requests', 'fire', 'rich', and 'alive-progress' libraries for HTTP requests, CLI, output formatting, and progress display, respectively. The repository includes a README.md with detailed usage instructions and a requirements.txt for dependencies. The main attack vector is network-based, exploiting HTTP(S) endpoints on vulnerable Confluence instances. The endpoints used are fingerprintable and relate to the setup and user management APIs of Confluence.

This repository is a Java-based exploit package designed to be uploaded as a malicious plugin to Atlassian Confluence servers, specifically to exploit CVE-2023-22515. The structure includes a Maven project with three main Java servlet classes: - CommandExecutor.java: Implements a classic webshell accessible at /plugins/servlet/testbin/cmServlet, allowing remote command execution via HTTP POST. - bxExecutor.java: Implements a memory shell loader accessible at /plugins/servlet/testbin/bxServlet, which loads and executes AES-encrypted payloads in memory, requiring a specific Referer header for access. - gzExecutor.java: Implements a Godzilla-compatible memory shell at /plugins/servlet/testbin/gzServlet, also requiring a specific Referer header and password (p@ssw0rd) for access, supporting encrypted payloads for stealthy persistence. The atlassian-plugin.xml file registers these servlets and their endpoints. The README provides usage instructions and highlights the endpoints. The exploit enables an attacker to gain persistent, stealthy remote code execution on a vulnerable Confluence server by uploading this plugin, then interacting with the exposed endpoints to execute commands or load further payloads. No hardcoded IPs or external C2s are present, but the endpoints are fingerprintable and can be used for detection.

This repository provides an operational exploit for CVE-2023-22515, a critical privilege escalation vulnerability in Atlassian Confluence Server and Data Center (versions 8.0.0 through 8.5.1). The exploit consists of a Python script ('exploit.py') that automates the process of exploiting the vulnerability by first triggering a setup state in the target Confluence instance, then sending a crafted POST request to create a new administrator account with known credentials ('hacked'/'hacked'). The script then verifies the success of the exploit by attempting to authenticate as the new admin user. The repository also includes a Nuclei YAML template ('CVE-2023-22515.yaml') for automated vulnerability scanning, a README with usage instructions, and a requirements.txt for dependencies. The main attack vector is network-based, targeting HTTP endpoints exposed by vulnerable Confluence instances. No hardcoded IPs or domains are present; the exploit is designed to be used against user-supplied targets. The overall structure is clear and focused on privilege escalation via unauthorized admin account creation.

This repository is a Go-based exploit tool targeting Atlassian Confluence Data Center and Server instances vulnerable to CVE-2023-22515. The exploit automates the process of creating a new administrator user on affected Confluence instances by sending a sequence of crafted HTTP requests to specific endpoints. The tool allows the attacker to specify the target URL, username, password, and proxy settings via command-line arguments. If no username or password is provided, the tool generates random credentials. The main logic is contained in 'main.go', which checks if the target is vulnerable, creates a new admin user, and finalizes the setup. The README provides usage instructions, affected version ranges, and example commands. No hardcoded IPs or domains are present; the tool is designed to be used against attacker-supplied targets. The exploit is operational, providing a working method to gain admin access to vulnerable Confluence instances.

This repository contains a Python exploit script (CVE-2023-22515.py) and a README.md. The exploit targets Atlassian Confluence Data Center and Server instances vulnerable to CVE-2023-22515, a privilege escalation vulnerability. The script works by sending a sequence of HTTP requests to the Confluence setup endpoints, allowing an attacker to create a new administrator account with arbitrary credentials. The attacker must supply the target URL, desired username, and password as command-line arguments. The script checks the setup state, submits the new admin account details, and finalizes the setup if possible. The README provides usage instructions and a disclaimer. No hardcoded endpoints or IPs are present; all endpoints are relative to the user-supplied base URL. The exploit is operational and demonstrates a real privilege escalation attack against vulnerable Confluence instances.

This repository provides a proof-of-concept exploit for Atlassian Confluence CVE-2023-22515 (Broken Access Control). The repository contains two files: a README.md describing the exploit and a 'payload' file outlining the attack steps. The exploit works by first sending a GET request to a specific endpoint to bypass the setup status, then sending a POST request to create a new administrator user, and optionally finalizing the setup. The payload is not implemented as code but as a sequence of HTTP requests, making this a manual or instructional POC rather than an automated exploit script. The main targets are Confluence servers vulnerable to CVE-2023-22515, and the endpoints involved are clearly specified in the payload file.

This repository targets Atlassian Confluence Server (tested on version 8.5.1) and exploits CVE-2023-22515, an unauthenticated vulnerability that allows the creation of a new admin user. The main exploit script (exploit.py) is written in Python and automates the process of checking credentials, verifying the vulnerability state, and creating a new admin user by sending crafted HTTP requests to specific Confluence endpoints. The repository also includes a decompiled Java servlet (ShellServlet.java) from a plugin (plugin_shellplug.jar) that, if installed on the target, provides a web-based shell for arbitrary command execution. The exploit is operational, providing both privilege escalation (admin user creation) and, optionally, remote command execution via the webshell. The repository is structured with a clear README, the main exploit script, and the decompiled webshell source code.