# Semcms v4.8 web_inc.php SQL Injection

### Introduction to Semcms

SEMCMS is a foreign trade website content management system (CMS) that supports multiple languages.

v4.8 Download Link:

### Vulnerability description

A SQL injection vulnerability exists in SEMCMS v4.8. The vulnerability stems from a lack of validation of externally entered SQL statements in the web_inc.php parameter languageID. An attacker with no credentials can use this vulnerability to execute illegal SQL commands to obtain sensitive data from the database.

### Vulnerability analysis

The vulnerability exists on line 83 of web_inc.php:

if (isset($_POST["languageID"])){


The value of $Language is brought into the SQL statement on line 88 to be executed:

      $query=$db_conn->query("select * from sc_tagandseo where languageID=$Language");


verify_str() function mainly uses the blacklist mechanism; test_input() function mainly filters backslashes, single quotes and double quotes, while the SQL statement here doesn't use single quotes and double quotes closure, so we just need to bypass the blacklisting rules to perform SQL injection.



Since index.php contains web_inc.php, we can also do SQL injection from index.php.


### Vulnerability demonstration

1. Go to the link of the target machine you have built yourself,

2. Burpsuite captures packets and constructs SQL injection(Bool) payload:

payload: -1 or length(database()) REGEXP char(94,54,36)

When the condition is true:



payload: -1 or length(database()) REGEXP char(94,55,36)

When the condition is false:



3. SQL injection using the POC script in this project:


python <vuln url>



Successfully obtained the database name: