cbcvebase.
CVE-2017-11444
published 2017-07-19

CVE-2017-11444: Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.10%
95.9th percentile
Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.

Affected

1 ranges
VendorProductVersion rangeFixed in
intelliantssubrion_cms<= 4.1.4

Detection & IOCsextracted from sources · hover to see the quote

path/front/search.php
url{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%27{{hex_string}}%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1
  • The SQL injection payload targets the /search/members/ endpoint using a UNION SELECT via the id parameter with backtick and comment-based obfuscation (%2f**%2f). Detection should look for requests to /search/members/ containing 'union' and 'select' keywords with comment obfuscation in the query string.
  • The exploit uses a 32-column UNION SELECT with unhex() to exfiltrate data in column 12. Monitor HTTP 200 responses from /search/members/ that reflect hex-decoded strings in the response body as a sign of successful exploitation.
  • The injection uses URL-encoded comment syntax (%2f**%2f) to obfuscate SQL keywords (union, select) and a backtick in the id parameter to break out of the query context. WAF/IDS rules should decode and inspect for this pattern.
  • ·The Nuclei template uses dynamic random values (rand_base, hex_encode) for the injected payload string, meaning the exact hex value in the unhex() call will differ per scan execution. Static signatures must account for the variable nature of the hex-encoded canary string.
  • ·The vulnerable path referenced in the CVE description (/front/search.php) differs from the exploit path used in the Nuclei template (/search/members/). Both should be monitored as the CMS may route requests differently depending on configuration.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.