CVE-2017-11444
published 2017-07-19CVE-2017-11444: Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.10%
95.9th percentile
Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intelliants | subrion_cms | <= 4.1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/search/members/?id`%3D520)%2f**%2funion%2f**%2fselect%2f**%2f1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2Cunhex%28%27{{hex_string}}%27%29%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2C30%2C31%2C32%23sqli=1
- →The SQL injection payload targets the /search/members/ endpoint using a UNION SELECT via the id parameter with backtick and comment-based obfuscation (%2f**%2f). Detection should look for requests to /search/members/ containing 'union' and 'select' keywords with comment obfuscation in the query string.
- →The exploit uses a 32-column UNION SELECT with unhex() to exfiltrate data in column 12. Monitor HTTP 200 responses from /search/members/ that reflect hex-decoded strings in the response body as a sign of successful exploitation.
- →The injection uses URL-encoded comment syntax (%2f**%2f) to obfuscate SQL keywords (union, select) and a backtick in the id parameter to break out of the query context. WAF/IDS rules should decode and inspect for this pattern.
- ·The Nuclei template uses dynamic random values (rand_base, hex_encode) for the injected payload string, meaning the exact hex value in the unhex() call will differ per scan execution. Static signatures must account for the variable nature of the hex-encoded canary string.
- ·The vulnerable path referenced in the CVE description (/front/search.php) differs from the exploit path used in the Nuclei template (/search/members/). Both should be monitored as the CMS may route requests differently depending on configuration. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Subrion CMS <4.1.5.10 - SQL Injection
nuclei·CVSS 9.8
CVE-2017-11444 [CRITICAL] Subrion CMS <4.1.5.10 - SQL Injection
Subrion CMS <4.1.5.10 - SQL Injection
Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
Template:
id: CVE-2017-11444
info:
name: Subrion CMS <4.1.5.10 - SQL Injection
author: dwisiswant0
severity: critical
description: "Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array."
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
remediation: |
Upgrade Subrion CMS to version 4.1.5.10 or later to mitigate this vulnerability.
reference:
- https://github.com/intelliants/subrion/issues/479
- https://mp.weixin.qq.com/s/89mCnjUCvmptLsKaeVlC9Q
- https://nvd.nis
2017-07-19
Published