Et rule 2033642 - Magic-SigExplorer

""ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)""

SID: 2033642

Revision: 2

Class Type: attempted-admin

Metadata: affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2021_08_02

Reference:

cve
2020-14092

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: any

Flow: established,to_server

Contents:

Value: "/?cffaction=get_data_from_database"
Value: "query="

Within:

PCRE: "/query=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/*.+*\/|EXEC)/Ui"

Special Options:

nocase
fast_pattern
http_uri
http_uri

source