CVE-2018-18530

Vulnerability

In ThinkPHP versions 5.0.x through 5.1.25 and 3.x through 3.2.4, the aggregate function in library/think/db/Query.php does not sanitize the $field parameter before concatenating it into SQL statements. Specifically, the count parameter (and other aggregate function parameters) can be directly injected with arbitrary SQL when passed via user input. The vulnerability requires that a backquote character (`) be present in the attack URI [1][2].

Exploitation

An attacker must be able to supply a count GET parameter (or similar aggregate parameter) to an endpoint that calls an aggregate function like count(), sum(), avg(), etc., on user-controlled input. In a typical scenario, a controller method such as db('user')->count(input('get.count')); is used. The attacker then sends a crafted URI containing a backtick and a subquery, e.g., ?count=id),(select sleep(5)),(username. This payload is concatenated directly into the SQL statement without parameterized placeholders, causing a time-based blind SQL injection [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the database. Because the database connection uses PDO::ATTR_EMULATE_PREPARES disabled, normal parameterized queries would prevent data retrieval, but this vulnerability bypasses that protection by avoiding placeholders, thus enabling the attacker to retrieve sensitive data (e.g., passwords via blind injection) [2]. The impact is full information disclosure of the database contents.

Mitigation

The vulnerability is fixed in ThinkPHP 5.1.25 and later, and in ThinkPHP 3.2.4 and later. Users should upgrade to these versions immediately [1][2]. No workarounds are documented; however, avoiding the use of unvalidated user input in aggregate function parameters can prevent exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.