CVE-2020-18215

Vulnerability

PHPSHE version 1.7 is vulnerable to multiple SQL injection attacks in the administrative interface (/phpshe/admin.php). The ad_id, menu_id, and cashout_id parameters are not properly sanitized before being used in SQL queries. This allows an attacker to inject arbitrary SQL code. The affected code is reachable when an authenticated admin user visits the admin panel with crafted parameter values [1].

Exploitation

To exploit the vulnerability, an attacker must have valid administrative credentials for the PHPSHE instance. The attacker then sends HTTP GET or POST requests to /phpshe/admin.php with malicious SQL injected into the ad_id, menu_id, or cashout_id parameters. The application does not filter or escape these inputs, so the injected SQL is executed against the database [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to data exfiltration, modification, or deletion of administrative data, and potentially full compromise of the application's data integrity and confidentiality. The attacker operates with the database privileges of the application user, which may be sufficient to access sensitive information [1].

Mitigation

As of the reference publication date (2021-02-09), no official patch has been released for PHPSHE 1.7. The vendor repository on Gitee reports the issue but no fixed version has been published [1]. Administrators should restrict access to the admin panel (e.g., via IP whitelisting), monitor logs for suspicious parameter values, and consider applying WAF rules to block SQL injection patterns until an update is provided.