CVE-2019-13292
published 2019-07-04CVE-2019-13292: A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.51%
92.9th percentile
A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| weberp | weberp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
- →Detect time-based blind SQLi exploitation by monitoring POST requests to Payments.php where the PaidArray parameter contains base64-encoded, serialized PHP data; a server response time exceeding 4–5 seconds is a strong indicator of exploitation. ↗
- →Alert on POST requests to /Payments.php with a query string containing the 'identifier' and 'SupplierID' parameters simultaneously, as this matches the exploit's attack URL pattern. ↗
- →Monitor for the known-malicious base64 payload 'YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=' appearing in any HTTP request body or parameter targeting a WebERP instance. ↗
- →Detect reconnaissance/pre-exploitation steps: sequential GET requests to /index.php, /Suppliers.php, and /Payments.php from the same source IP within a short time window, followed by a POST to /Suppliers.php creating a new supplier, then a POST to /Payments.php. ↗
- ·The exploit requires valid WebERP credentials to authenticate before injecting; unauthenticated exploitation is not demonstrated. Detection rules should account for authenticated sessions (PHPSESSIDwebERPteam cookie present). ↗
- ·The generatePayload function requires a local PHP binary to produce the serialized+base64 payload; if PHP is unavailable, the attacker uses the hardcoded base64 string instead. Both delivery vectors must be covered in detection. ↗
- ·The SQL injection is blind and time-based; there is no direct data exfiltration in the PoC response, making network-layer content inspection insufficient alone — response-time anomaly detection is required. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-07-04
Published