CVE-2017-7997
published 2018-01-08CVE-2017-7997: Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.34%
97.0th percentile
Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gespage | gespage | < 7.4.9 | 7.4.9 |
Detection & IOCsextracted from sources · hover to see the quote
commandshow_prn=A-PRINTER-ON-THE-WEB-LIST');UPDATE param_gespage SET param_value='8cb2237d0679ca88db6464eac60da96345513964' WHERE param_id='admin_pwd'--↗
- →Detect time-based blind SQLi attempts against Gespage by monitoring POST requests to prnow.jsp, blhistory.jsp, or prhistory.jsp containing SQL sleep/stacked-query payloads (e.g., PG_SLEEP or ');) in the show_prn or show_month parameters. ↗
- →Alert on POST requests to /gespage/webapp/users/prnow.jsp with show_prn values containing SQL stacked-query comment sequences such as ');...-- or UPDATE/SELECT statements. ↗
- →Detect sqlmap usage against Gespage endpoints by monitoring for requests to /gespage/users/prnow.jsp with --data containing 'A-PRINTER-ON-THE-WEB-LIST' and PostgreSQL-specific technique flags. ↗
- →Flag POST requests to Gespage JSP pages originating from unauthenticated sessions or with a JSESSIONID cookie that subsequently attempt to access /admin/ — indicative of admin password reset via SQL injection. ↗
- ·Exploitation requires an authenticated session (valid JSESSIONID cookie of an existing user); unauthenticated exploitation is not demonstrated in the PoC. ↗
- ·The backend database is PostgreSQL; SQL injection payloads use PostgreSQL-specific syntax (PG_SLEEP, stacked queries). Detection rules should account for PostgreSQL-specific patterns. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/Jan/14https://sysdream.com/news/lab/2018-01-02-cve-2017-7997-gespage-sql-injection-vulnerability/https://www.exploit-db.com/exploits/43447/http://seclists.org/fulldisclosure/2018/Jan/14https://sysdream.com/news/lab/2018-01-02-cve-2017-7997-gespage-sql-injection-vulnerability/https://www.exploit-db.com/exploits/43447/
2018-01-08
Published