CVE-2020-18020

Vulnerability

PHPSHE Mall System v1.7 contains a SQL injection vulnerability in the administrative component admin.php. The application fails to properly sanitize the user_phone parameter before using it in a database query, allowing an attacker to inject arbitrary SQL commands [1]. The vulnerable code is reachable when an authenticated attacker sends a crafted HTTP request to the admin interface [1].

Exploitation

An attacker must have administrative-level access to the PHPSHE Mall System backend [1]. The attacker crafts a POST or GET request to admin.php with a malicious payload in the user_phone parameter. The payload is embedded in a SQL query, which is then executed by the database backend, enabling the attacker to extract or manipulate data [1]. No user interaction beyond normal admin operations is required [1].

Impact

Successful exploitation allows an attacker to perform arbitrary SQL commands, which can lead to reading sensitive data from the database, modifying or deleting records, and potentially achieving remote code execution via chaining with other database features (e.g., xp_cmdshell on MSSQL or INTO OUTFILE on MySQL) [1]. The privilege level is that of the database user configured for the application [1].

Mitigation

As of the latest available information, PHPSHE Mall System v1.7 is the vulnerable version, and no official patch or fixed version has been released by the vendor [1]. Users should sanitize user input for the user_phone parameter and employ parameterized queries or prepared statements to prevent SQL injection [1]. The vulnerability status is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].