CVE-2019-9626

CRITICAL

PHPSHE 1.7 - SQL Injection via pintuan_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9626. PoCs published by koyshe.

AI-analyzed exploit summary This is a detailed technical analysis of a time-based blind SQL injection vulnerability in phpshe v1.7, located in the `/module/index/cart.php` file. The vulnerability arises from unsanitized user input in the `pintuan_id` parameter, which is directly spliced into SQL queries via the `pintuan_check` and `pe_select` functions.

Description

PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.

Exploits (1)

gitee WRITEUP 48 stars

by koyshe · phpwriteup

https://gitee.com/koyshe/phpshe/issues/ISW87

View Code ZIP pw:eip

This is a detailed technical analysis of a time-based blind SQL injection vulnerability in phpshe v1.7, located in the `/module/index/cart.php` file. The vulnerability arises from unsanitized user input in the `pintuan_id` parameter, which is directly spliced into SQL queries via the `pintuan_check` and `pe_select` functions.

Classification

Writeup 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: phpshe v1.7

Auth required

Prerequisites: User authentication · Access to the `/index.php?act=pintuan` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Issue Tracking, Third Party Advisory x_refsource_misc

https://gitee.com/koyshe/phpshe/issues/ISW87

Scores

CVSS v3 9.8

EPSS 0.0138

EPSS Percentile 68.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

phpshe/phpshe 1.7

Published Mar 07, 2019

Tracked Since Feb 18, 2026