Add CVE-2024-54761 – BigAnt Office Messenger 5.6.06 SQLi → Ephemeral RCE chain

[x-stp]

Description:

This template adds detection and exploitation logic for CVE-2024-54761, a critical SQL injection vulnerability in BigAnt Office Messenger 5.6.06. The vulnerability exists in the dev_code parameter of /index.php/Admin/user/index and allows unauthenticated attackers to write files to disk via MySQL's SELECT ... INTO OUTFILE.

Chain Overview

1. Attempts to write a uniquely named .txt file to verify OUTFILE permissions.
2. If successful, drops a temporary .phtml shell using CHAR(...) encoding.
3. Executes system('id') remotely to confirm code execution.
4. Payload contains unlink(__FILE__) to delete itself after execution.
5. Verifies cleanup via 404 check on the dropped file.

Why it matters

This is a realistic full RCE chain:

• No authentication required
• No user interaction required
• Ephemeral execution (no persistent footprint)
• Simulates how a real attacker would establish and clean up access

Metadata

• CWE-89 (SQL Injection)
• Severity: Critical
• Tags: rce, sql-injection, unlink, webroot, ephemeral, noauth, windows
• Shodan: http.html:"BigAnt Office Messenger"
• FOFA: body="BigAnt Office"

References

• https://github.com/nscan9/CVE-2024-54761-BigAnt-Office-Messenger-5.6.06-RCE-via-SQL-Injection
• https://nvd.nist.gov/vuln/detail/CVE-2024-54761

[GeorginaReeder]

Thanks for your contribution @x-stp , we appreciate it!

We also have a Discord server, which you’re more than welcome to join. It's a great place to connect with fellow contributors and stay updated with the latest developments!

[x-stp]

as discussed, will have to push some love to this