cbcvebase.
CVE-2016-3694
published 2017-02-15

CVE-2016-3694: Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.73%
88.5th percentile
Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status parameter to api/easybill/easybillcsv.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
modifiedecommerce_shopsoftware

Detection & IOCsextracted from sources · hover to see the quote

path/api/easybill/easybillcsv.php
urlhttp://127.0.0.1/shop/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN&orders_status=-111'))or-sleep(5)/*&customers_status=*/%23
urlhttp://127.0.0.1/shop/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN&orders_status=-111'))or(Select(case(36)when(ascii(substring(`customers_password`FROM(1)FOR(1))))then-sleep(5)End)from`customers`where`customers_id`=1)/*&customers_status=*/%23
commandtoken=MODULE_EASYBILL_CSV_CRON_TOKEN
  • Detect unauthenticated GET requests to /api/easybill/easybillcsv.php with the literal token value 'MODULE_EASYBILL_CSV_CRON_TOKEN', which bypasses authentication when the easybill module is not installed.
  • Monitor GET requests to easybillcsv.php for SQL injection payloads in the 'orders_status' or 'customers_status' parameters, particularly patterns containing time-based blind injection keywords such as 'sleep' or 'case/when/ascii/substring' with whitespace stripped and commas replaced.
  • Flag requests where 'orders_status' contains patterns like '))or-sleep(' or '))or(Select(case(' as indicators of time-based blind SQL injection exploitation attempts against this endpoint.
  • The injection technique avoids whitespace and commas; detection rules should look for SQL keywords concatenated without spaces (e.g., 'FROM(1)FOR(1)', 'ascii(substring(') in query parameters as a bypass indicator.
  • ·The authentication bypass (using the literal string 'MODULE_EASYBILL_CSV_CRON_TOKEN' as the token value) only works when the easybill module is NOT installed. If the module is installed, the constant is defined and the bypass is ineffective.
  • ·Union-based SQL injection is not possible due to the ORDER BY clause with explicit table references; exploitation is limited to blind (time-based) injection techniques.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.