Exploit for Command Injection in Sophos Web Appliance exploit

Share

## https://sploitus.com/exploit?id=3BC66170-DC66-545B-AAA9-CAC49736A37D # Сve-2023-1671 ## How does cve-2023-1671(https://vulners.com/cve/CVE-2023-1671 ) work? /opt/ws/bin/ftsblistpack is a Perl script that calls /opt/ws/bin/sblistpack, which is another Perl script. The shell command arguments in it are enclosed in single quotes: $rc += system("$sblistpack '$uri' '$user' '$filetype' '$filein' '$fileout'"); This will be important in the future it will be one of those things that will lead to a vulnerability. Next /opt/ui/apache/htdocs/controllers/UsrBlocked.php passes the shell command to ftsblistpack with user-provided parameters : args_reason, url, filetypeser, user_encoded. User input is still handled by the PHP function escapeshellarg(), which adds single quotes around the string or any existing single quotes. This allows you to pass the string directly to the shell function and process it along with the user parameters. You can see what comes out of this: If we type in: ';echo 1 # Then we have: 'shell user' ' ';echo 1 #' And this allows us to do some damage to the system in this command. We add our encoded value to user_encoded. UsrBlocked.php is redirected via /index.php?c=blocked, then the necessary GET and POST parameters are entered. Since the user_encoded parameter is Base64-encoded, it is ideal for injection. ### Useful Links: https://github.com/ohnonoyesyes/CVE-2023-1671 - shell exploit https://vulncheck.com/blog/cve-2023-1671-analysis - pos cve-2023-1671 https://nvd.nist.gov/vuln/detail/CVE-2023-1671 - nist info cve-2023-1671 ### This is an exploit to cve-2023-1671. So, there is a test and exploit function. The test sends a ping request to the dnslog(http://www.dnslog.cn) domain from the vulnerable site. If the ping passes, the vulnerability exists, if not, cve-2023-1671 is missing. The exploitation function, on the other hand, sends a request with your command to the server. ## Use: -h Get usage parameters ### Function parameters: --exploit Calls the function to exploit cve-2023-1671. This will execute your arbitrary command without checking if there is a vulnerability. --test Calls the vulnerability test function. This is done by pinging the dnslog domain, from the vulnerable server. If ping occurs, the vulnerability cve-2023-1671 is present. ### The auxiliary parameters: -u This is the ip or url of your site. Note the format 192.168.0.1 or site.com -p The port of the vulnerable site. This is a mandatory parameter, even if you have https://site.ocm you must specify -u site.com -p 443 -c The function parameter --exploit This is any arbitrary command you want to execute in order to exploit the site. Farmata -c 'echo cve' ## Examples : ### Exploit Functions: python cve-2023-1671.py --exploit -u 192.168.0.1 -p 443 -c 'echo 1' ### Test functions: python cve-2023-1671.py --test -u 192.168.0.1 -p 443 ## ATTENTION! This exploit is written for educational purposes and I am not responsible for your actions Use this exploit only for the purpose of testing and protecting your system.