CVE-2018-16385

Vulnerability

ThinkPHP versions prior to 5.1.23 are vulnerable to SQL injection in the order parameter. The vulnerability occurs when user input is passed to the order() method in a database query; specifically, when the parameter is an array with key-value pairs, the framework fails to properly sanitize the array keys [1][3]. The attack vector is exposed via the public/index/index/test/index route, as described in the official CVE entry [1].

Exploitation

An attacker does not need authentication to exploit this vulnerability. The attack is performed by sending an HTTP request to the vulnerable endpoint with a crafted order query string parameter. The parameter must be an array containing a specially constructed key that includes SQL injection payload, for example order[id|updatexml(1,concat(0x3a,user()),1)%23]=1. The attacker triggers the injection by requesting a URL such as http://127.0.0.1/tp5/public/index/index/test/index?order[id|updatexml(1,concat(0x3a,user()),1)%23]=1 [1][3]. No special privileges or network position beyond standard HTTP access is required.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized disclosure of sensitive information (such as database user names, as shown in the proof of concept), modification of data, or denial of service. The attacker gains the ability to read, modify, or delete database content depending on the injected SQL statements [3].

Mitigation

A fix was released in ThinkPHP version 5.1.23. Users should upgrade to version 5.1.23 or later to remediate the vulnerability [1]. The fix involves adding array branch security validation to the order-by processing flow [3]. No workaround is documented for versions prior to the fix. As of the publication date (2018-09-03), there is no evidence that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog.