SQL Injection vulnerabilities pose a severe threat to the security of web applications. A successful SQL Injection attack can lead the attacker to bypass authentication, access, modify or delete data, potentially execute remote code, and even gain system control. Recently, it has come to light that SEMCMS v 1.2, a popular Chinese content management system (CMS), is vulnerable to SQL Injection attacks via the SEMCMS_User.php file. In this post, we'll provide exclusive details of this vulnerability (CVE-2021-38217), including code snippets, links to the original references, and exploit details.

Vulnerability Details

The SQL Injection vulnerability in SEMCMS v 1.2 is present in SEMCMS_User.php. This vulnerability allows remote attackers to execute arbitrary SQL commands via the id parameter. This parameter has not been properly sanitized, which leads to this vulnerability. The main issue is present in the following code snippet:

$id = isset($_GET['id']) ? $_GET['id'] : "";

// ... Other code ...

$sql = "select * from {$tablepre}members_centre where id='$id'";
$result = mysql_query($sql);

As you can see, the id parameter is taken directly from the user input ($_GET['id']) and is then included in the SQL query without any proper sanitization.

In addition, the affected file does not have authentication or validation in place, which allows for easier exploitation of this vulnerability.

The following is a Proof of Concept URL that demonstrates the vulnerability in a simple manner

http://[target]/SEMCMS_User.php?id=[SQL_PAYLOAD]

To exploit this vulnerability, an attacker can craft an SQL payload and replace [SQL_PAYLOAD] with their crafted SQL code. This will result in the execution of arbitrary SQL commands.

Exploit Details

To exploit this vulnerability, an attacker would need to be familiar with the schema of the database and how data is organized. Typically, an attacker may try to use an SQL injection attack to extract sensitive information like usernames, passwords, email addresses, and other critical data.

A simple example of an exploit would be to use an SQL payload like ' UNION SELECT 1,username,password,4,5,6,7,8,9 from user--, which would aim to extract the usernames and passwords of users from the user table.

However, if the attacker wishes to execute a more advanced attack, they might try to use an SQL injection for remote code execution or even gain system control.

Mitigation & Recommendations

To mitigate this vulnerability, it is essential to update to the latest version of SEMCMS or use an alternative CMS. However, if updating is not possible, you can apply the following manual fix in the SEMCMS_User.php file:

$id = isset($_GET['id']) ? intval($_GET['id']) : "";

// ... Other code ...

$sql = "select * from {$tablepre}members_centre where id='$id'";

This change forces the id parameter to be treated as an integer value, which effectively sanitizes the input and mitigates the SQL Injection vulnerability.

Final Thoughts

In conclusion, CVE-2021-38217 is a critical SQL Injection vulnerability in SEMCMS v 1.2 via the SEMCMS_User.php file. A successful exploit of this vulnerability could lead to unauthorized access to the underlying database and potentially system control.

Developers and administrators must ensure that proper input validation and sanitization procedures are in place to mitigate such vulnerabilities. Always stay vigilant and up to date with the latest security patches and advisories to protect your applications from potential threats.

Original References

[1] CVE-2021-38217: Vulnerability Details

[2] SEMCMS Official Website (Chinese)

[3] OWASP: SQL Injection

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:46:00 UTC