Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-36845 PoC — Junos OS: EX and SRX Series: A PHP vulnerability in J-Web allows an unauthenticated to control an important environment

Source
https://github.com/halencarjunior/CVE-2023-36845
Associated Vulnerability
Title:Junos OS: EX and SRX Series: A PHP vulnerability in J-Web allows an unauthenticated to control an important environment variable (CVE-2023-36845)
Description:A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
Readme
# Juniper Scanner
Scanner for CVE-2023-36845 by bt0

More information about the Vulnerability:
https://supportportal.juniper.net/JSA72300

[![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](http://www.gnu.org/licenses/gpl-3.0)

## Requirements:
--------------------

- python3+
- shodan
- colorama
- urlopen
- pyOpenSSL
- censys

  * $ python3 -m pip install -r requirements.txt

## Options
--------------

```
-h, --help            show this help message and exit
-H HOST, --host HOST  IP or Hostname of target
-p PORT, --port PORT  Port of target. Default=443
-hl HOSTLIST, --hostlist HOSTLIST
                      Use a hosts list e.g. ./hosts.txt
-s, --shodan          Search for hosts in Shodan (Needs api key)
--censys results [page ...]
                        Search for hosts in Censys (Needs api key). Use --censys <results> <per_page>

--version             show program's version number and exit
```

## For Shodan Search
--------------------

You should buy a shodan subscription to have access to API key
Visit https://account.shodan.io/billing for more information

## For Censys Search
--------------------

Just register to Censys search to acquire an API key
https://censys.io/register

To setup your credentials and execute the script, use environment variables on linux
```
$ export CENSYS_API_ID=<your-api-id>
$ export CENSYS_API_SECRET=<your-api-secret>
```

## Disclaimer
--------------

This is published for educational and informational purposes only, and the developers accept no responsibility for the use of it by users.
Our team will not aid, or endorse any use of this exploit for malicious activity, thus if you ask for help you may be required to provide us with proof that you either own the target service or you have permissions to pentest on it.
File Snapshot

 [4.0K]  /data/pocs/e265031f96384f97d20831b42a7615778d5530b7
├── [ 342]  censysmod.py
├── [5.7K]  juniperscan.py
├── [1.8K]  README.md
└── [  40]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →