Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34362 PoC — MoveIT SQL注入漏洞

Source
https://github.com/Malwareman007/CVE-2023-34362
Associated Vulnerability
Title:MoveIT SQL注入漏洞 (CVE-2023-34362)
Description:In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Description
POC for CVE-2023-34362 affecting MOVEit Transfer
Readme
# CVE-2023-34362
POC for CVE-2023-34362 affecting MOVEit Transfer

## Technical Analysis
A technical root cause analysis of the vulnerability can be found on the blog:

## Summary
- This POC abuses an SQL injection to obtain a sysadmin API access token and then uses that access to abuse a deserialization call to obtain remote code execution.

- This POC needs to reach out to an Identity Provider endpoint that hosts proper RS256 certificates used to forge arbitrary user tokens - by default this POC uses our IDP endpoint hosted in AWS.

- The exploit will default write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the ysoserial.net project.

## Usage
```plaintext
python CVE-2023-34362.py https://127.0.0.1
[*] Getting sysadmin access token
[*] Got access token
[*] Getting FolderID
[*] Got FolderID: 963611079
[*] Starting file upload
[*] Got FileID: 965943963
[*] Injecting the payload
[*] Payload injected
[*] Triggering payload via resume call
[+] Triggered the payload!
[*] Deleting uploaded file
```

## Mitigations
Update to the latest version or mitigate by following the instructions within the Progress Advisory
* https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023


## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/3fc35e4847fa3c6ba49533e5cf0a4d0ffb5040f2
├── [1.9K]  cert.crt
├── [ 14K]  CVE-2023-34362.py
├── [3.2K]  key.pem
├── [ 800]  key.pub
├── [1.0K]  LICENSE
├── [3.2K]  provider_file.txt
└── [1.6K]  README.md

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →