CVE-2023-39560
published 2023-08-28CVE-2023-39560: ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.11%
89.5th percentile
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ectouch | ectouch | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other554fcae493e564ee0dc75bdf2ebf94cabought_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}↗
yara↗
regex: "XPATH syntax error: '~[^~]+~'"
- →The SQL injection payload is delivered via the HTTP Referer header (not a query parameter), using a serialized PHP session cookie value containing the updatexml() error-based SQLi payload targeting the $arr['id'] parameter. ↗
- →Successful exploitation produces an XPATH syntax error response in the HTTP body matching the pattern "XPATH syntax error: '~<dbname>~'", which can be used as a detection signature. ↗
- →The attack targets the ECTouch v2 registration endpoint. Monitor for requests to /index.php?m=default&c=user&a=register with suspicious Referer headers containing serialized PHP data and SQL functions like updatexml/concat. ↗
- →ECTouch v2 instances can be fingerprinted via FOFA using icon_hash="127711143" to identify exposed targets. ↗
- ·The vulnerability is unauthenticated (PR:N) with network attack vector and no user interaction required, making it trivially exploitable remotely. ↗
- ·EPSS score of ~60.8% (98th percentile) indicates high real-world exploitation probability; prioritize detection and patching accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ECTouch v2 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-39560 [CRITICAL] ECTouch v2 - SQL Injection
ECTouch v2 - SQL Injection
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
Template:
id: CVE-2023-39560
info:
name: ECTouch v2 - SQL Injection
author: s4e-io
severity: critical
description: |
ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
impact: |
Unauthenticated attackers can exploit SQL injection through the $arr['id'] parameter to extract database contents, potentially stealing customer data, order information, and payment details from the ECTouch e-commerce system.
remediation: |
Update ECTouch to a version newer than 2.0 that uses parameterized queries or prepared statements for the id parameter in default/helpers/insert.
No writeups or analysis indexed.
2023-08-28
Published