alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ECSHOP user.php SQL INJECTION via Referer"; flow:established,to_server; http.uri; content:"/user.php"; http.referer; content:"SELECT"; nocase; content:"UNION"; nocase; content:",4,5,6,7,8,0x"; fast_pattern; reference:url,github.com/theLSA/ecshop-getshell; reference:url,github.com/Hzllaga/EcShop_RCE_Scanner/; reference:url,xz.aliyun.com/t/2689?from=groupmessage; classtype:web-application-attack; sid:2027416; rev:2; metadata:attack_target Web_Server, created_at 2019_05_31, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)