CVE-2021-38734 - How an SQL Injection in SEMCMS SHOP v1.1’s Ant_Menu.php Opens the Door for Attackers

---

SEMCMS SHOP is a popular e-commerce CMS solution, especially in certain markets needing a light and manageable online store. In September 2021, a dangerous vulnerability was made public — CVE-2021-38734. The issue? A classic SQL Injection in an important file: Ant_Menu.php.

If you run SEMCMS SHOP version 1.1 or earlier, or you just want to see how a real-world SQL Injection can still sneak into modern PHP apps, keep reading. We'll break down the postmortem with a clear example, show how this bug could be abused, and point you to the official references for further details.

Product: SEMCMS SHOP v1.1

- CVE ID: CVE-2021-38734

Problem Summary

The file Ant_Menu.php takes user input and puts it straight into an SQL query without sanitizing or escaping the data. This means attackers can inject their own SQL code and potentially dump data, change content, or escalate their attack (like executing system commands via SQL).

Let’s Get Technical: Where’s the Bug?

According to the original advisory from Seebug, the issue is with a parameter called type in Ant_Menu.php. Here’s a simplified example of the vulnerable PHP code pattern:

<?php
// EXAMPLE: Sanitization missing in vulnerable code

$type = $_GET['type']; // INPUT: attacker supplied

// Vulnerable: variable directly in query
$sql = "SELECT * FROM scm_menu WHERE type = '$type'";

$result = mysqli_query($conn, $sql);
// ... process the result
?>

1. Finding the Entry Point

Assume the SEMCMS site is hosted at http://example.com/SEM/Ant_Menu.php. The parameter type is passed via GET.

Let’s try to check if the page is injectable

http://example.com/SEM/Ant_Menu.php?type=1'

If the page breaks or gives an error, you’ve confirmed a possible injection.

Here’s how an attacker might try to list database user names

http://example.com/SEM/Ant_Menu.php?type=1' UNION SELECT 1, user(), 3, 4 -- -

- UNION SELECT is used to fetch data from another table or built-in value (user() gives the DB username)

Extracting all table names

http://example.com/SEM/Ant_Menu.php?type=1' UNION SELECT 1, table_name, 3, 4 FROM information_schema.tables -- -

Note

The actual number of columns and layout in your real database might vary — you’d need to tweak payloads using "ORDER BY" and "UNION SELECT" counts to match.

Test for Injection: Try basic payloads to break the query; watch for errors.

2. Optimize Payloads: Use tools like sqlmap, or manual ORDER BY/UNION SELECT guesses, to get the number of columns.
3. Extract Data: Dump database contents, steal credentials, change or delete records, or even escalate to RCE depending on DBMS.

How To Fix It

- ALWAYS use prepared statements / parameterized queries.

Example of safer code

<?php
$type = $_GET['type'];
$stmt = $conn->prepare("SELECT * FROM scm_menu WHERE type = ?");
$stmt->bind_param("s", $type);
$stmt->execute();
$result = $stmt->get_result();
// ... process result
?>

References and Further Reading

- National Vulnerability Database Entry
- Seebug Advisory (in Chinese)
- Exploit Database Mirror (if available)

Final Notes

SQL Injection remains one of the most critical and commonly exploited web security problems. CVE-2021-38734 is proof that even “new” applications can fall to an old-school bug if developers don’t prioritize security-first coding. If you’re using SEMCMS SHOP, patch your system, audit your PHP code, and never trust user input.

Let this be a real-world lesson to re-examine your own code or that of any open source project you depend on.

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:34:00 UTC