Miggo Logo
Miggo Vulnerability Database
CVE-2018-16385

CVE-2018-16385: ThinkPHP SQL Injection vulnerability

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-16385
GHSA ID
GHSA-vcm7-88jx-3r39
EPSS Score
0.66837%
CWE
CWE-89
Published
5/14/2022
Updated
5/4/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
topthink/frameworkcomposer< 5.1.235.1.23

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how ThinkPHP's query builder handles array parameters in the order() method. When user-controlled input (like the 'order' GET parameter) is passed directly to order() as an array key-value pair, the framework fails to properly escape the array keys. This allows attackers to inject SQL expressions through crafted keys (e.g., 'id`|updatexml(...)#'). The GitHub issue demonstrates this vulnerability pattern and confirms the order method's role in query construction. The patch in 5.1.23 likely added proper escaping for array keys in ORDER BY processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*inkP*P ***or* *.*.** *llows SQL Inj**tion vi* t** `pu*li*/in**x/in**x/t*st/in**x` qu*ry strin*.

Reasoning

T** vuln*r**ility st*ms *rom *ow T*inkP*P's qu*ry *uil**r **n*l*s *rr*y p*r*m*t*rs in t** or**r() m*t*o*. W**n us*r-*ontroll** input (lik* t** 'or**r' **T p*r*m*t*r) is p*ss** *ir**tly to or**r() *s *n *rr*y k*y-v*lu* p*ir, t** *r*m*work **ils to pro