CVE-2017-14703
published 2017-09-26CVE-2017-14703: SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.06%
78.9th percentile
SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cashbackcomparisonscript | cash_back_comparison | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlsearch/EfE'+/*!01116UNIoN*/+/*!01116SeLecT*/+0x31,0x32,0x33,0x34,0x35,0x36,/*!01116concat*/(0x3c74657874617265613e,0x557365726e616d653a,username,0x20,0x506173733a,password,0x3c2f74657874617265613e),0x38/*!50000FrOm*/users--+-.html↗
- →Detect SQL injection attempts against the /search/ PATH_INFO endpoint using MySQL comment-obfuscated UNION SELECT payloads (e.g., /*!01116UNIoN*/, /*!01116SeLecT*/, /*!50000FrOm*/). ↗
- →Flag requests to /search/*.html paths containing SQL comment sequences such as /*!01116 or /*!50000 in the PATH_INFO, which are characteristic of this exploit's obfuscation technique. ↗
- →Monitor for hex-encoded strings 0x3c74657874617265613e (<textarea>) and 0x3c2f74657874617265613e (</textarea>) in HTTP requests to /search/, as the exploit uses these to exfiltrate credentials wrapped in textarea tags. ↗
- →Alert on GET requests to /admin/login.php following anomalous /search/ PATH_INFO requests, as the exploit prints this path as the post-exploitation admin panel target. ↗
- ·The exploit targets the 'users' table and extracts 'username' and 'password' columns specifically; detection rules should account for these table/column names appearing in URL-encoded or hex-encoded form within PATH_INFO. ↗
- ·The SQL injection is delivered via PATH_INFO (not query string parameters), so WAF/IDS rules must inspect the URL path segment after /search/, not just GET/POST parameters. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-09-26
Published