CVE-2023-34362 PoC — MoveIT SQL注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-34362.yaml

Associated Vulnerability

Title:MoveIT SQL注入漏洞 (CVE-2023-34362)
Description:MoveIT是MoveIT公司的一款针对机械臂移动操作的最先进的软件。 MoveIT 存在安全漏洞，该漏洞源于存在SQL注入漏洞。攻击者可利用该漏洞访问数据库并执行更改或删除操作。受影响的产品和版本： Progress MOVEit Transfer 2021.0.6 (13.0.6)之前版本，2021.1.4 (13.1.4)版本, 2022.0.4 (14.0.4)版本, 2022.1.5 (14.1.5)版本, 2023.0.1 (15.0.1)版本。

Description

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

File Snapshot


 id: CVE-2023-34362

info:
  name: MOVEit Transfer - Remote Code Execution
  author: princechaddha,ro

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!