cbcvebase.
CVE-2017-15965
published 2017-10-29

CVE-2017-15965: The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.40%
87.3th percentile
The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.

Affected

1 ranges
VendorProductVersion rangeFixed in
nswdns_download_shop

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/[PATH]/index.php?option=com_ns_downloadshop&task=invoice.create&id=[SQL]
commandoption=com_ns_downloadshop&task=invoice.create&id=(SELECT (CASE WHEN (5078=5078) THEN 5078 ELSE 5078*(SELECT 5078 FROM INFORMATION_SCHEMA.PLUGINS) END))
commandoption=com_ns_downloadshop&task=invoice.create&id=(SELECT 2458 FROM(SELECT COUNT(*),CONCAT(0x716b626a71,(SELECT (ELT(2458=2458,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
  • Detect GET requests targeting the Joomla component parameter 'option=com_ns_downloadshop' combined with 'task=invoice.create' and a suspicious 'id' parameter value (e.g., containing SELECT, CASE, FLOOR, RAND, CONCAT, or INFORMATION_SCHEMA references).
  • Boolean-based blind SQLi payloads for this CVE use MySQL >= 5.0 CASE/WHEN constructs injected into the 'id' GET parameter of the invoice.create task.
  • Error-based SQLi payloads for this CVE use MySQL FLOOR(RAND(0)*2) GROUP BY error technique injected into the 'id' GET parameter of the invoice.create task.
  • The vulnerable component version is 2.2.6; presence of com_ns_downloadshop in HTTP requests should be flagged for inspection, especially when the 'id' parameter contains SQL metacharacters or subquery syntax.
  • ·The exploit PoC uses 'localhost' as the target host; in real-world attacks the host will vary. Detection rules should match on the query-string pattern (option=com_ns_downloadshop&task=invoice.create) regardless of host.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.