CVE-2021-37593
published 2021-07-30CVE-2021-37593: PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the…
PriorityP267critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
5.16%
91.4th percentile
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peel | peel_shopping | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)↗
- →Monitor GET requests to produit_details.php where the 'id' parameter contains SQL time-based blind injection patterns, specifically SLEEP() calls wrapped in SELECT subqueries (e.g., SELECT+1337+FROM+(SELECT(SLEEP(...)))). ↗
- →Alert on anomalous HTTP response times (7+ seconds) from produit_details.php, which is indicative of successful time-based blind SQL injection causing deliberate SLEEP delays. ↗
- →Look for hex-encoded strings in the 'id' parameter of produit_details.php, such as 0x257065656c25 (hex for '%peel%') or 0x254d61726961444225 (hex for '%MariaDB%'), used to fingerprint the database via blind SQLi. ↗
- →Unauthenticated (no session/auth cookie required) requests to produit_details.php with parenthesized SELECT payloads in the id parameter should be flagged; the exploit works as a public guest user. ↗
- ·The PoC payloads assume the default PEEL Shopping database name is 'peel' and the default table name is 'peel_produits'. Installations with non-default database/table names will require adjusted payloads, but the vulnerable endpoint and parameter remain the same. ↗
- ·The vulnerability affects PEEL Shopping versions prior to 9.4.0.1. Version 9.4.0 is listed as vulnerable in NVD; the fix was released in 9.4.0.1. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.netbytesec.com/advisories/UnauthenticatedBlindSQLInjectionVulnerabilityInPEELShopping/https://github.com/advisto/peel-shopping/issues/3https://github.com/faisalfs10x/CVE-IDs/blob/main/2021/CVE-2021-37593/Proof_of_Concept.mdhttp://www.netbytesec.com/advisories/UnauthenticatedBlindSQLInjectionVulnerabilityInPEELShopping/https://github.com/advisto/peel-shopping/issues/3https://github.com/faisalfs10x/CVE-IDs/blob/main/2021/CVE-2021-37593/Proof_of_Concept.md
2021-07-30
Published