CVE-2019-3577

Vulnerability

A blind SQL injection vulnerability exists in Waimai Super Cms version 20150505. The index() method in web/Lib/Action/ProductAction.class.php passes the id parameter directly from user input into a where() clause of a ThinkPHP find() query without proper sanitization [1]. Specifically, the attacker can control the id[0] element, which is inserted into the SQL query. The code uses I('id') to retrieve the parameter, and the resulting array key fid is used in the query. Affected code is based on ThinkPHP 3.1.3, and the vulnerability is present in the /product URI [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request to the /product endpoint with a malicious id[0] parameter [1]. The exploit involves injecting SQL commands into the parameter value, using techniques such as id[0]=in ('xx')) or substr(...) to perform blind SQL injection. The provided proof-of-concept script demonstrates extracting the admin password by iterating over characters and checking the response for a specific image tag (<img src="") to infer boolean results [1]. No prior authentication or special network position is required; the attacker only needs access to the web interface.

Impact

Successful exploitation allows an attacker to blindly extract arbitrary data from the database. The proof-of-concept targets the admin password from the sn_members table, which could lead to full administrative access [1]. The impact includes unauthorized information disclosure of sensitive credentials, potentially enabling further compromise of the application and its data.

Mitigation

No official patch or fixed version has been released as of the publication date [1]. The vendor's repository appears unmaintained. Users should consider upgrading to a supported alternative or applying input validation and parameterized queries to the affected id parameter. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.