CVE-2022-43051 - Serious SQL Injection in Online Diagnostic Lab Management System v1. Exploited via ‘id’ Parameter

---

Introduction

In late 2022, security researchers discovered a high-impact vulnerability in a popular healthcare software, Online Diagnostic Lab Management System v1.. Labelled as CVE-2022-43051, this weakness allows attackers to exploit an SQL injection bug in the backend. This post will break down how this flaw works, how hackers can exploit it, and how you can protect your systems.

About the Vulnerability

Product Affected:

Online Diagnostic Lab Management System (ODLMS) v1.

Vulnerable Endpoint:  
- /odlms/classes/Users.php?f=delete_test

Input Parameter:

id

When a user wants to delete a test record, the system makes a request to /odlms/classes/Users.php?f=delete_test with a query parameter called id. Unfortunately, in v1., this input is unsafely processed in a SQL query without any sanitization or prepared statements.

Real-World Impact

Anyone with access to the system (sometimes even without logging in, depending on configuration) can send carefully crafted requests to this URL and manipulate the database. This can lead to:

How Does the Exploit Work?

Let’s walk through a real-life example of exploiting this bug.

1. Vulnerable Code Snippet

Below is a simplified PHP snippet (found in /odlms/classes/Users.php) that is responsible for deleting a test:

// DO NOT USE THIS CODE IN PRODUCTION - IT IS VULNERABLE!
$id = $_GET['id'];

$sql = "DELETE FROM tests WHERE id = $id"; // Vulnerable!

$result = mysqli_query($conn, $sql);

Notice how $id is directly inserted into the SQL statement. This means any input provided in the id parameter will become part of the query, without checks!

Suppose an attacker sends this GET request

GET /odlms/classes/Users.php?f=delete_test&id=1 OR 1=1

The resulting SQL executed by the backend

DELETE FROM tests WHERE id = 1 OR 1=1

Since 1=1 is always true, all records in the ‘tests’ table will be deleted.

Now, imagine the attacker tries to leak admin data

GET /odlms/classes/Users.php?f=delete_test&id=1; SELECT * FROM admin_users --

Depending on how errors/information are displayed, it might spill out usernames, password hashes or emails.

How to Fix It

The right way is to use prepared statements, which safely handle user inputs.

Secure Version

$id = $_GET['id'];

// Always cast or validate type, to be extra safe
if (!is_numeric($id)) {
    die('Invalid ID');
}

$stmt = $conn->prepare("DELETE FROM tests WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Or, alternatively, sanitize the input

$id = intval($_GET['id']);

References

- National Vulnerability Database Entry, CVE-2022-43051
- Exploit Details on Exploit-DB
- OWASP SQL Injection Standard

Conclusion

CVE-2022-43051 is a critical SQLi flaw in ODLMS v1. that attackers can easily abuse to steal, modify, or destroy sensitive lab records. The fix is straightforward: always use prepared statements and never trust user data blindly. If you run ODLMS, patch now and audit your code for similar issues.

Timeline

Published on: 11/07/2022 20:15:00 UTC
Last modified on: 11/08/2022 15:12:00 UTC