CVE-2017-18362 PoC — Kaseya VSA ConnectWise ManagedITSync SQL注入漏洞

Description

connectwise managedItsync vuln env (cve-2017-18362)

Readme

# CVE-2017-18362 LAB (Kaseya / ManagedIT SQL Injection Simulation)

Minimal vulnerable lab reproducing a legacy `ManagedIT.asmx/GetDataSet` style SQL injection surface (inspired by CVE-2017-18362 patterns). This is NOT vendor code; purely educational.

> Legal Notice: Use only in controlled environments with explicit authorization.

---

## Architecture

| Component | Base Image                                                         | Host Port | Purpose                                                                   |
| --------- | ------------------------------------------------------------------ | --------: | ------------------------------------------------------------------------- |
| `db`      | `mcr.microsoft.com/mssql/server:2019-latest`                       |      1433 | SQL Server Express seeded (administrators table)                          |
| `webapp`  | `mcr.microsoft.com/dotnet/aspnet:8.0` (built from `sdk:8.0` stage) |      8080 | Minimal .NET API exposing vulnerable endpoint `ManagedIT.asmx/GetDataSet` |

Network: `cve-net` (bridge)

---

## Quick Start

```bash
git clone https://github.com/yawningmoney/CVE-2017-18362-LAB.git
cd CVE-2017-18362-LAB
docker compose up -d --build
# Web: http://localhost:8080/
```

Stop & clean:

```bash
docker compose down
docker compose down -v --rmi local   # full reset
```

---

## Vulnerable Endpoint

```
POST /KaseyaCwWebService/ManagedIT.asmx/GetDataSet
Content-Type: application/x-www-form-urlencoded
Body: sql=<ARBITRARY_SQL>
```

The service executes the raw `sql` value through `SqlDataAdapter` (no parameterization), enabling arbitrary SQL execution (simulation). Responses always `200` with XML dataset or error envelope.

---

## Detection with Nuclei (Template: cve-2017-18362)

Template location (relative): `../nuclei-templates/http/cves/2017/CVE-2017-18362.yaml`

Run (debug enabled):

```bash
nuclei -t CVE-2017-18362.yaml -u http://localhost:8080 -debug
```

Example output (abridged to core evidence):

```
                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.7

                projectdiscovery.io

[INF] Current nuclei version: v3.4.7 (latest)
[INF] Current nuclei-templates version: v10.2.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 55
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [cve-2017-18362] Dumped HTTP request for http://localhost:8080/KaseyaCwWebService/ManagedIT.asmx

GET /KaseyaCwWebService/ManagedIT.asmx HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [cve-2017-18362] Dumped HTTP response http://localhost:8080/KaseyaCwWebService/ManagedIT.asmx

HTTP/1.1 200 OK
Connection: close
Content-Length: 54
Content-Type: text/html; charset=utf-8
Date: Thu, 14 Aug 2025 02:14:56 GMT
Server: Kestrel

<html><body>ManagedIT.asmx?op=GetDataSet</body></html>
[cve-2017-18362:word-2] [http] [critical] http://localhost:8080/KaseyaCwWebService/ManagedIT.asmx
[cve-2017-18362:status-1] [http] [critical] http://localhost:8080/KaseyaCwWebService/ManagedIT.asmx
[INF] [cve-2017-18362] Dumped HTTP request for http://localhost:8080/KaseyaCwWebService/ManagedIT.asmx/GetDataSet

POST /KaseyaCwWebService/ManagedIT.asmx/GetDataSet HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Length: 51
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

sql=SELECT 'rUCDOAwc'/**/UNION/**/SELECT 'rUCDOAwc'
[DBG] [cve-2017-18362] Dumped HTTP response http://localhost:8080/KaseyaCwWebService/ManagedIT.asmx/GetDataSet

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/xml
Date: Thu, 14 Aug 2025 02:15:11 GMT
Server: Kestrel

<NewDataSet>
  <Error>
    <Message>A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 35 - An internal exception was caught)</Message>
  </Error>
</NewDataSet>
...
[INF] Scan completed in 14.618607468s. 2 matches found.
```

Why it triggers:

- Passive confirmation of `.asmx` surface (`ManagedIT.asmx?op=`).
- Multiple SQL payload variants inject a random marker.
- Match: status 200 + marker present + dataset/error XML envelope.

---

## Directory Layout

```
CVE-2017-18362-LAB/
├─ docker-compose.yml
├─ db/
│  ├─ Dockerfile
│  ├─ entrypoint.sh
│  └─ init.sql
└─ webapp/
   ├─ Dockerfile
   └─ src/
      ├─ ManagedIT.asmx
      ├─ ManagedIT.asmx.cs
      ├─ ManagedIT.csproj
      ├─ Program.cs
      └─ Web.config
```

---

## Remediation (Real Software)

1. Parameterize queries (no raw concatenation).
2. Enforce authentication + least privilege.
3. Restrict allowed operations (stored procedures / whitelists).
4. Suppress internal error details to clients.
5. Centralize logging & anomaly detection.

---

## References

- https://nvd.nist.gov/vuln/detail/CVE-2017-18362
- https://github.com/kbni/owlky
- https://docs.connectwise.com/ConnectWise_Documentation/140/Kaseya_-_IP_and_Domain_Restrictions

---

## Credits

Educational lab for security research.

File Snapshot

Remarks