cbcvebase.
CVE-2021-37593
published 2021-07-30

CVE-2021-37593: PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the…

PriorityP267critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
5.16%
91.4th percentile
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data.

Affected

1 ranges
VendorProductVersion rangeFixed in
peelpeel_shopping

Detection & IOCsextracted from sources · hover to see the quote

path/peel-shopping_9_4_0/achat/produit_details.php
command(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
command(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
command(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
  • Monitor GET requests to produit_details.php where the 'id' parameter contains SQL time-based blind injection patterns, specifically SLEEP() calls wrapped in SELECT subqueries (e.g., SELECT+1337+FROM+(SELECT(SLEEP(...)))).
  • Alert on anomalous HTTP response times (7+ seconds) from produit_details.php, which is indicative of successful time-based blind SQL injection causing deliberate SLEEP delays.
  • Look for hex-encoded strings in the 'id' parameter of produit_details.php, such as 0x257065656c25 (hex for '%peel%') or 0x254d61726961444225 (hex for '%MariaDB%'), used to fingerprint the database via blind SQLi.
  • Unauthenticated (no session/auth cookie required) requests to produit_details.php with parenthesized SELECT payloads in the id parameter should be flagged; the exploit works as a public guest user.
  • ·The PoC payloads assume the default PEEL Shopping database name is 'peel' and the default table name is 'peel_produits'. Installations with non-default database/table names will require adjusted payloads, but the vulnerable endpoint and parameter remain the same.
  • ·The vulnerability affects PEEL Shopping versions prior to 9.4.0.1. Version 9.4.0 is listed as vulnerable in NVD; the fix was released in 9.4.0.1.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.