alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|module|22 0d 0a 0d 0a|emailtemplates|0d 0a|"; nocase; fast_pattern; content:"|0d 0a|content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|action|22 0d 0a 0d 0a|attachfiles|0d 0a|"; nocase; content:"|89 50 4e 47 0d 0a 1a 0a|"; distance:0; content:"<?php"; distance:0; reference:url,packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html; reference:url,sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload; classtype:attempted-user; sid:2043273; rev:3; metadata:affected_product SugarCRM, attack_target Server, created_at 2023_01_11, cve CVE_2025_22952, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)