id: weaver-checkserver-sqli

info:
  name: Ecology OA CheckServer - SQL Injection
  author: SleepingBag945
  severity: high
  description: |
    Ecology OA system improperly filters incoming data from users, resulting in a SQL injection vulnerability. Remote and unauthenticated attackers can use this vulnerability to conduct SQL injection attacks and steal sensitive database information.
  reference:
    - https://stack.chaitin.com/techblog/detail?id=81
    - https://github.com/lal0ne/vulnerability/blob/main/%E6%B3%9B%E5%BE%AE/E-Cology/CheckServer/README.md
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-ecology-oa-plugin-checkserver-setting-sqli.yaml
  classification:
    cpe: cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: weaver
    product: e-cology
    fofa-query: app="泛微-协同办公OA"
  tags: weaver,ecology,sqli

http:
  - method: GET
    path:
      - "{{BaseURL}}/mobile/plugin/CheckServer.jsp?type=mobileSetting"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_all(header, 'application/json','ecology_')"
          - contains(body, 'error\":\"system error') && !contains(body, 'securityIntercept')
        condition: and
# digest: 4b0a00483046022100888fc4001dbf8c5e903bc8dd4b05130469dee42aed1ae0bf078abaebfa856cb6022100e4e831cd1c54eb03882eb45a4d6b8d71de43f5cdbed7a16a166cad6881bb22e3:922c64590222798bb761d5b6d8e72950