CVE-2021-37371
📋 TL;DR
CVE-2021-37371 is an unauthenticated SQL injection vulnerability in the Online Student Admission System 1.0 admin login page. Attackers can bypass authentication and execute arbitrary SQL commands without credentials. This affects all deployments of version 1.0 of this specific software.
💻 Affected Systems
- Online Student Admission System
📦 What is this software?
Online Student Admission System by Online Student Admission System Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including database takeover, shell upload leading to remote code execution, and potential data exfiltration of sensitive student information.
Likely Case
Authentication bypass leading to unauthorized admin access, database manipulation, and potential data theft.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking SQL injection patterns, and database user privilege restrictions.
🎯 Exploit Status
Public exploit code available on Packet Storm Security with detailed documentation of SQL injection and shell upload capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Remove the vulnerable software and replace with a secure alternative. If continuing use is required, implement all workarounds listed below.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns targeting /admin/login.php
# Example ModSecurity rule: SecRule REQUEST_URI "@streq /admin/login.php" "id:1001,phase:2,deny,status:403,msg:'Blocking CVE-2021-37371 exploit attempt'"
# Add SQL injection detection rules for this specific endpoint
Input Validation Hardening
linuxAdd parameterized queries and input validation to login.php
# Replace mysql_query() with prepared statements
# Example: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ? AND password = ?');
# $stmt->bind_param('ss', $username, $password);
🧯 If You Can't Patch
- Immediately isolate the system from internet access and place behind strict network segmentation
- Implement application-level monitoring for SQL injection attempts and failed login patterns
🔍 How to Verify
Check if Vulnerable:
Test /admin/login.php endpoint with SQL injection payloads like ' OR '1'='1 in username/password fields. Monitor for database errors or successful authentication bypass.Check Version:
Check source code or documentation for version 1.0 reference. No built-in version command available.Verify Fix Applied:
Attempt SQL injection payloads after implementing fixes. Verify authentication fails with malicious input and succeeds only with valid credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL syntax in login attempts
- Multiple failed login attempts from single IP followed by successful admin access
- Database error messages containing SQL fragments in web logs
Network Indicators:
- HTTP POST requests to /admin/login.php with SQL keywords (UNION, SELECT, OR, etc.)
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND uri="/admin/login.php" AND (message="*SQL*" OR message="*syntax*" OR message="*database*error*")🔗 References
- http://packetstormsecurity.com/files/164625/Online-Student-Admission-System-1.0-SQL-Injection-Shell-Upload.html
- https://packetstormsecurity.com/files/164625/Online_Admission_System_CVEs-Gerard-Carbonell.pdf
- https://www.sourcecodester.com/php/14874/online-student-admission-system.html
- http://packetstormsecurity.com/files/164625/Online-Student-Admission-System-1.0-SQL-Injection-Shell-Upload.html
- https://packetstormsecurity.com/files/164625/Online_Admission_System_CVEs-Gerard-Carbonell.pdf
- https://www.sourcecodester.com/php/14874/online-student-admission-system.html
