CVE-2017-15965
published 2017-10-29CVE-2017-15965: The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.40%
87.3th percentile
The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nswd | ns_download_shop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandoption=com_ns_downloadshop&task=invoice.create&id=(SELECT (CASE WHEN (5078=5078) THEN 5078 ELSE 5078*(SELECT 5078 FROM INFORMATION_SCHEMA.PLUGINS) END))↗
commandoption=com_ns_downloadshop&task=invoice.create&id=(SELECT 2458 FROM(SELECT COUNT(*),CONCAT(0x716b626a71,(SELECT (ELT(2458=2458,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)↗
- →Detect GET requests targeting the Joomla component parameter 'option=com_ns_downloadshop' combined with 'task=invoice.create' and a suspicious 'id' parameter value (e.g., containing SELECT, CASE, FLOOR, RAND, CONCAT, or INFORMATION_SCHEMA references). ↗
- →Boolean-based blind SQLi payloads for this CVE use MySQL >= 5.0 CASE/WHEN constructs injected into the 'id' GET parameter of the invoice.create task. ↗
- →Error-based SQLi payloads for this CVE use MySQL FLOOR(RAND(0)*2) GROUP BY error technique injected into the 'id' GET parameter of the invoice.create task. ↗
- →The vulnerable component version is 2.2.6; presence of com_ns_downloadshop in HTTP requests should be flagged for inspection, especially when the 'id' parameter contains SQL metacharacters or subquery syntax. ↗
- ·The exploit PoC uses 'localhost' as the target host; in real-world attacks the host will vary. Detection rules should match on the query-string pattern (option=com_ns_downloadshop&task=invoice.create) regardless of host. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/101624https://packetstormsecurity.com/files/144435/Joomla-NS-Download-Shop-2.2.6-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/43094/http://www.securityfocus.com/bid/101624https://packetstormsecurity.com/files/144435/Joomla-NS-Download-Shop-2.2.6-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/43094/
2017-10-29
Published