CVE-2021-36520: I-Tech Trainsmart r1044 SQL Injection Vulnerability and Exploit

A critical SQL injection vulnerability (CVE-2021-36520) has been discovered in I-Tech Trainsmart r1044 that allows attackers to access and manipulate databases within the application. The vulnerability exists in the evaluation/assign-evaluation?id= URI, which could be exploited for unauthorized access and the potential theft of sensitive information. In this post, we'll discuss how this vulnerability works, provide code snippets, and highlight the details of the exploit.

Original References

The discovery of this vulnerability was credited to Amit Masih, who disclosed the vulnerability and posted a report to the security community after unsuccessful attempts to contact the developers. You can find the original report by Amit Masih here:

[Link: https://github.com/amitmasih/security-report/blob/main/pd?id=295250d-ad81-48c-be29-c017171d66c8]

Alternatively, the CVE-2021-36520 vulnerability has been detailed on the Mitre Corporation's CVE List, which can be accessed via the link:

[Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36520]

Vulnerability Details

I-Tech Trainsmart r1044 is a web-based Learning Management System (LMS) used by businesses for e-learning, training, and collaboration. The vulnerable URI "evaluation/assign-evaluation?id=" does not properly sanitize user input, which can lead to SQL injection attacks.

The SQL injection attack could allow attackers to manipulate the database structure, extract sensitive data, delete data, or even take control of the application if the attacker has knowledge of the underlying database structure and credentials.

The following code snippet demonstrates the vulnerable part of the application code which allows for SQL injection:

// vulnerable code in assign-evaluation.php
$query = "SELECT * FROM evaluations WHERE id = '".$_GET['id']."'";
$result = mysqli_query($conn, $query);

In this code snippet, user input is directly taken from the $_GET[] array without any proper input validation or sanitization. This makes the application vulnerable to SQL injection attacks.

Exploit

Exploiting this vulnerability requires knowledge of SQL injection techniques and expertise in manipulating database queries. An attacker with malicious intent could use a tool like SQLMap, or manual SQL injection techniques to alter the request sent to the server and manipulate the SQL query.

A sample attack payload could be something like this

http://example.com/evaluation/assign-evaluation?id=1'OR'1'='1

SELECT * FROM evaluations WHERE id = 1 OR 1 = 1

The altered SQL query retrieves all records from the evaluations table, which could expose sensitive data or allow further exploitation of the application.

Mitigation & Recommendations

As this vulnerability has significant potential for damage, it is crucial to mitigate its impact. Reach out to the vendor to inquire about any available patches or updates addressing the issue. In the meantime, follow these recommendations:

1. Sanitize user input: Use prepared statements, parameterized queries, or stored procedures to handle user input and avoid direct concatenation of user input strings that form the SQL queries.
2. Escaping: Escape special characters in user input using proper escape functions to prevent them from breaking the intended SQL syntax.
3. Least Privilege: Limit the privileges of the database user account to reduce the potential impact of a successful SQL injection attack.
4. Monitor and log: Regularly check logs for suspicious activity that could indicate SQL injection attempts.

Conclusion

CVE-2021-36520 is a critical vulnerability in I-Tech Trainsmart r1044 that can lead to exploitation of databases and unauthorized access to sensitive information. It is essential for organizations to address this vulnerability immediately to protect their information systems from potential attacks that can exploit this vulnerability.

Timeline

Published on: 04/16/2023 04:15:00 UTC
Last modified on: 04/25/2023 20:33:00 UTC