cbcvebase.
CVE-2017-7997
published 2018-01-08

CVE-2017-7997: Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.34%
97.0th percentile
Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp.

Affected

1 ranges
VendorProductVersion rangeFixed in
gespagegespage< 7.4.97.4.9

Detection & IOCsextracted from sources · hover to see the quote

path/ges/webapp/users/prnow.jsp
path/ges/webapp/users/blhistory.jsp
path/ges/webapp/users/prhistory.jsp
commandshow_prn=1');SELECT PG_SLEEP(3)--
commandshow_prn=1');SELECT PG_SLEEP(6)--
commandshow_prn=A-PRINTER-ON-THE-WEB-LIST');UPDATE param_gespage SET param_value='8cb2237d0679ca88db6464eac60da96345513964' WHERE param_id='admin_pwd'--
port7181
port7180
  • Detect time-based blind SQLi attempts against Gespage by monitoring POST requests to prnow.jsp, blhistory.jsp, or prhistory.jsp containing SQL sleep/stacked-query payloads (e.g., PG_SLEEP or ');) in the show_prn or show_month parameters.
  • Alert on POST requests to /gespage/webapp/users/prnow.jsp with show_prn values containing SQL stacked-query comment sequences such as ');...-- or UPDATE/SELECT statements.
  • Detect sqlmap usage against Gespage endpoints by monitoring for requests to /gespage/users/prnow.jsp with --data containing 'A-PRINTER-ON-THE-WEB-LIST' and PostgreSQL-specific technique flags.
  • Flag POST requests to Gespage JSP pages originating from unauthenticated sessions or with a JSESSIONID cookie that subsequently attempt to access /admin/ — indicative of admin password reset via SQL injection.
  • ·Exploitation requires an authenticated session (valid JSESSIONID cookie of an existing user); unauthenticated exploitation is not demonstrated in the PoC.
  • ·The backend database is PostgreSQL; SQL injection payloads use PostgreSQL-specific syntax (PG_SLEEP, stacked queries). Detection rules should account for PostgreSQL-specific patterns.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.