cbcvebase.
CVE-2019-13292
published 2019-07-04

CVE-2019-13292: A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.51%
92.9th percentile
A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.

Affected

1 ranges
VendorProductVersion rangeFixed in
weberpweberp

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>/Payments.php
cookiePHPSESSIDwebERPteam
command' or sleep(5) and '1'='1
command0 where sleep(1)=1;-- -
path/Payments.php
otherPaidArray (POST parameter)
otherGARUMPAGE (injected SupplierID)
bytes
YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
  • Detect time-based blind SQLi exploitation by monitoring POST requests to Payments.php where the PaidArray parameter contains base64-encoded, serialized PHP data; a server response time exceeding 4–5 seconds is a strong indicator of exploitation.
  • Alert on POST requests to /Payments.php with a query string containing the 'identifier' and 'SupplierID' parameters simultaneously, as this matches the exploit's attack URL pattern.
  • Monitor for the known-malicious base64 payload 'YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=' appearing in any HTTP request body or parameter targeting a WebERP instance.
  • Detect reconnaissance/pre-exploitation steps: sequential GET requests to /index.php, /Suppliers.php, and /Payments.php from the same source IP within a short time window, followed by a POST to /Suppliers.php creating a new supplier, then a POST to /Payments.php.
  • ·The exploit requires valid WebERP credentials to authenticate before injecting; unauthenticated exploitation is not demonstrated. Detection rules should account for authenticated sessions (PHPSESSIDwebERPteam cookie present).
  • ·The generatePayload function requires a local PHP binary to produce the serialized+base64 payload; if PHP is unavailable, the attacker uses the hardcoded base64 string instead. Both delivery vectors must be covered in detection.
  • ·The SQL injection is blind and time-based; there is no direct data exfiltration in the PoC response, making network-layer content inspection insufficient alone — response-time anomaly detection is required.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.