cbcvebase.
CVE-2021-45793
published 2022-03-17

CVE-2021-45793: Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.64%
90.6th percentile
Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.

Affected

1 ranges
VendorProductVersion rangeFixed in
slimssenayan_library_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?p=member&destination=
url/index.php?p=show_detail&id=1
pathlib/comment.inc.php
commandcomment=%27and%2F**%2F1%3D%28updatexml%281%2Cconcat%280x3a%2Cmd5%28{{num}}%29%29%2C1%29%29%2F**%2Fand%2F**%2F%271%27%3D%271&SaveComment=Save+comment
  • Detect exploitation attempts by monitoring POST requests to /index.php?p=show_detail containing SQL injection payloads in the 'comment' parameter, specifically using updatexml() and md5() error-based injection patterns.
  • Match the partial MD5 canary string 'c8c605999f3d8352d7bb792cf3fd' in HTTP response bodies as a confirmation of successful SQL injection exploitation (md5(999999999)).
  • Flag URL-encoded SQL injection patterns in the 'comment' POST parameter targeting lib/comment.inc.php, particularly sequences containing %27and%2F**%2F (i.e., 'and/**/) which are characteristic of comment-obfuscated SQL injection.
  • Monitor for the multi-step attack flow: GET /index.php?p=member (CSRF token harvest) → POST login → GET /index.php?p=show_detail → POST comment injection, indicating automated exploitation of CVE-2021-45793.
  • ·The vulnerability is in Slims9 Bulian version 9.4.2 specifically; the affected file is lib/comment.inc.php. The SQL injection is triggered via the 'comment' POST parameter on the show_detail page.
  • ·Exploitation requires authentication (login step is part of the attack flow), meaning the attacker must first obtain valid credentials before injecting via the comment field.
  • ·The exploit uses CSRF token extraction from the login and show_detail pages before submitting the injection payload; detection rules must account for this multi-step session-based flow.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.