SCRMS 2023-05-27 1.0 - Multiple SQL Injection

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-05-31 
## Exploit Title: SCRMS 2023-05-27 1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 05.27.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `email` parameter appears to be vulnerable to SQL injection
attacks. The test payloads 45141002' or 6429=6429-- and 37491017' or
5206=5213-- were each submitted in the email parameter. These two
requests resulted in different responses, indicating that the input is
being incorporated into a SQL query in an unsafe way. The attacker can
easily steal all users and their passwords for access to the system.
Even if they are strongly encrypted this will get some time, but this
is not a problem for an attacker to decrypt if, if they are not enough
strongly encrypted.

STATUS: HIGH Vulnerability

[+]Payload:
```mysql
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login=
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html)

## Time spend:
01:00:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


SCRMS 2023-05-27 1.0 – Multiple SQL Injection Vulnerability: A Deep Dive into Exploitation and Remediation

On May 27, 2023, cybersecurity researcher nu11secur1ty disclosed a critical vulnerability in the Simple Customer Relationship Management System (SCRMS) — a PHP-based open-source CRM application hosted on GitHub by oretnom23. The vulnerability, identified as Multiple SQL Injection (SQLi), poses a severe risk to user data integrity and system security. This article explores the technical details, exploitation methodology, real-world implications, and recommended mitigation strategies.

Overview of the Vulnerable System

The SCRMS 2023-05-27 1.0 version is a lightweight CRM system designed for small businesses and developers. It leverages PHP and MySQL for backend operations, offering features such as user authentication, contact management, and customer tracking. Despite its simplicity, the application lacks robust input validation and sanitization — a critical oversight that leads to exploitable vulnerabilities.

According to the official source code repository, the application includes a login form with two primary inputs: email and password. These fields are processed via a POST request to authenticate users. However, the underlying SQL query fails to sanitize user input, making it susceptible to injection attacks.

SQL Injection: The Core Vulnerability

SQL Injection is a common web security flaw where attackers inject malicious SQL code into input fields, manipulating database queries. In SCRMS, the email parameter is used in a WHERE clause within a login query. For example:


SELECT * FROM users WHERE email = 'user@example.com' AND password = 'hashed_password'

When an attacker submits a crafted payload like email=-1544' OR 2326=2326--, the query becomes:


SELECT * FROM users WHERE email = '-1544' OR 2326=2326-- AND password = 'c5K!k0k!T7'

Here, OR 2326=2326 is always true, effectively bypassing the email and password check. The -- comment delimiter terminates the query, preventing syntax errors. This boolean-based blind injection technique allows attackers to infer database behavior based on response differences.

Exploitation Demonstration

As demonstrated by nu11secur1ty, two test payloads were used:

  • email=-1544' OR 2326=2326-- → Response indicates successful login
  • email=37491017' OR 5206=5213-- → Response indicates failure

These differing responses confirm that the application is processing the input directly in a SQL query without proper filtering. The attacker can use this to perform blind SQLi attacks, extracting data row by row through time-based or boolean-based techniques.

Real-World Impact and Risk Assessment

Due to the High Severity Rating assigned by the researcher, this vulnerability has significant implications:

  • Data Theft: Attackers can extract all user records, including email addresses, hashed passwords, and other sensitive information.
  • Account Takeover: With stolen credentials, attackers can impersonate legitimate users, gaining full access to CRM data.
  • Database Manipulation: If the injection allows write operations, attackers could modify or delete records, leading to data corruption or denial-of-service.

Even if passwords are hashed (e.g., using bcrypt or SHA-256), the attacker can leverage offline brute-force or rainbow table attacks to crack weak or reused passwords. This is especially dangerous in systems with poor password policies or default credentials.

Attack Techniques and Tools

Security professionals can use tools like Burp Suite or Exploit-DB to automate SQLi detection. The following table outlines common attack methods used against SCRMS:

Technique Description Use Case
Boolean-Based Blind Exploits true/false responses to infer data Testing if user exists via OR 1=1 vs OR 1=2
Time-Based Blind Uses delays to detect successful queries Injecting AND SLEEP(5) to observe response time
Union-Based Combines results from multiple queries Extracting table names or column data

Code Example: Vulnerable Login Query

The following code snippet illustrates the flawed implementation in SCRMS:


$login_query = "SELECT * FROM users WHERE email = '" . $_POST['email'] . "' AND password = '" . $_POST['password'] . "'";
$result = mysqli_query($conn, $login_query);

Why it’s dangerous: The input is directly concatenated into the SQL string without escaping or parameterization. This creates a direct path for injection. Even if the password field appears to be hashed, the email field remains unfiltered.

Corrected Implementation: Best Practices

To prevent SQL injection, developers must adopt secure coding practices. Here’s a corrected version using prepared statements:


$stmt = $conn->prepare("SELECT * FROM users WHERE email = ? AND password = ?");
$stmt->bind_param("ss", $_POST['email'], $_POST['password']);
$stmt->execute();
$result = $stmt->get_result();

Explanation: This approach uses prepared statements, which separate SQL logic from user input. The database engine treats the input as data, not executable code, preventing injection. Additionally, password validation should be done via password_verify() instead of direct comparison.

Remediation Recommendations

For system administrators and developers, the following actions are critical:

  • Input Validation: Sanitize all user inputs using functions like htmlspecialchars() or filter_input().
  • Use Prepared Statements: Always use parameterized queries for database interactions.
  • Implement WAFs: Deploy Web Application Firewalls (e.g., ModSecurity) to detect and block SQLi attempts.
  • Regular Audits: Conduct automated and manual penetration tests using tools like OWASP ZAP or Burp Suite.
  • Update Dependencies: Patch the SCRMS application immediately or migrate to a more secure alternative.

Conclusion

The SCRMS 2023-05-27 1.0 vulnerability serves as a stark reminder that even simple applications can harbor high-risk security flaws. SQL Injection remains one of the most prevalent and impactful web vulnerabilities, ranking consistently in the CVE Top 25. Developers must prioritize security from the outset — not as an afterthought.

By understanding the mechanics of SQLi, adopting secure coding practices, and leveraging automated tools, organizations can significantly reduce their attack surface. The case of SCRMS underscores the need for continuous vigilance, proactive patching, and responsible open-source maintenance.