CVE-2018-17566

Vulnerability

In ThinkPHP 5.1.24, the inner delete() function is vulnerable to SQL injection when the WHERE condition's value originates from user-controlled input, such as HTTP request parameters. The framework does not sufficiently sanitize or parameterize these values before constructing the SQL query. [1][3]

Exploitation

An attacker must send a crafted HTTP request to a ThinkPHP 5.1.24 application that exposes a delete() call with a WHERE condition derived from request parameters (e.g., $_GET, $_POST). No authentication is required if the endpoint is public. The attacker supplies specially crafted strings (e.g., containing SQL operators or boolean-based logic) to manipulate the resulting query beyond the intended deletion scope. [1][3]

Impact

Successful exploitation enables the attacker to execute arbitrary SQL queries against the underlying database. This leads to potential data exfiltration, data modification, or unauthorized deletion beyond the intended records. The attacker achieves write access to database content, which may compromise confidentiality, integrity, and availability of the application's data. [1]

Mitigation

ThinkPHP advised users to upgrade to a patched version that properly parameterizes input in the delete() method. As of the current references, the fix was introduced shortly after the disclosure; users should update to ThinkPHP versions later than 5.1.24. No workaround is provided in the available references. [2]