module

WhatsUp Gold SQL Injection (CVE-2024-6670)

Disclosed	Created
Aug 29, 2024	Sep 27, 2024

Disclosed

Aug 29, 2024

Created

Sep 27, 2024

Description

This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user (such as of the default admin account)
to an attacker-controlled one.

WhatsUp Gold versions

Authors

Michael Heinzl
Sina Kheirkhah ( Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use auxiliary/admin/http/whatsup_gold_sqli
    msf auxiliary(whatsup_gold_sqli) > show actions
        ...actions...
    msf auxiliary(whatsup_gold_sqli) > set ACTION < action-name >
    msf auxiliary(whatsup_gold_sqli) > show options
        ...show and set options...
    msf auxiliary(whatsup_gold_sqli) > run

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report