cbcvebase.
CVE-2020-5515
published 2020-01-06

CVE-2020-5515: Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.

PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
26.55%
97.8th percentile
Gila CMS 1.11.8 allows /admin/sql?query= SQL Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
gilacmsgila_cms

Detection & IOCsextracted from sources · hover to see the quote

url/admin/sql?query=
path/gila-1.11.8/admin/sql?query=
filenamewebshell.php
commandSELECT id FROM user LIMIT 0,1 INTO OUTFILE
url/webshell.php?cmd=whoami
  • Detect SQL injection attempts targeting the /admin/sql endpoint with a 'query' parameter containing 'INTO OUTFILE' — a classic MySQL file-write payload used to drop a webshell.
  • Monitor for HTTP GET requests to /admin/sql?query= containing SQL keywords such as SELECT, INTO OUTFILE, and LINES TERMINATED BY, which are characteristic of this exploit chain.
  • Alert on the presence of the hex-encoded PHP webshell payload (0x3c3f706870...) in HTTP request parameters — this decodes to a <?php system($_REQUEST['cmd']); ?> shell.
  • Detect follow-on webshell access by monitoring for GET requests to /webshell.php with a 'cmd' query parameter, indicating successful exploitation and remote code execution.
  • Flag requests carrying both the PHPSESSID and GSESSIONID cookies with the exact exploit-tool values as a high-confidence indicator of this specific exploit script being used.
  • ·The hardcoded PHPSESSID and GSESSIONID cookie values in the exploit script are specific to the proof-of-concept tool; real-world attackers will use valid session cookies obtained after authenticating to the target CMS, so cookie-based detection alone is insufficient.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.