CVE-2022-43352 - How Hackers Exploit SQL Injection in Sanitization Management System v1.

In October 2022, cybersecurity researchers discovered a critical vulnerability in the open-source Sanitization Management System v1.. This bug, tracked as CVE-2022-43352, allows bad actors to execute dangerous SQL injection attacks through the id parameter in the /php-sms/classes/Master.php?f=delete_quote function. In this article, we’ll go step by step to understand the problem, see some real code examples, and understand how attackers take control. We’ll also discuss how to fix and protect your site.

What Is CVE-2022-43352?

CVE-2022-43352 is a SQL injection (SQLi) vulnerability—one of the most serious cybersecurity threats for web applications. SQL injection bugs allow hackers to run custom SQL commands in the database, which means they can steal, change, or even delete all your records.

This specific bug occurs in the Sanitization Management System v1., a PHP-based web app that schools or institutions can use to manage cleanliness scheduling and personnel.

The vulnerable route is

/php-sms/classes/Master.php?f=delete_quote&id=[value]

Attackers can supply any value for the id parameter, and if the application just sticks this value into an SQL query without proper checks, the system is exposed.

Let’s look at likely vulnerable PHP code inside Master.php

// This is what bad code can look like:

$id = $_GET['id']; // user input from URL
$sql = "DELETE FROM quotes WHERE id = $id";
mysqli_query($conn, $sql);

In this code, the $id variable comes directly from whatever the user puts in the URL. There is NO validation or sanitization. This lets an attacker hijack the query.

Suppose a hacker visits

http://yourserver/php-sms/classes/Master.php?f=delete_quote&id=1 OR 1=1

What does the query become?

DELETE FROM quotes WHERE id = 1 OR 1=1

OR 1=1 is always true, so this query will try to delete ALL quotes, not just the one with id=1.

Even More Dangerous: Data Exfiltration

Suppose the attacker wants to dump user info, and the application has even worse code allowing stacked queries:

http://yourserver/php-sms/classes/Master.php?f=delete_quote&id=1;SELECT * FROM users--

If the database allows it, this can leak all user data to the attacker.

Proof of Concept Exploit

If you want to test if the app is vulnerable (on a test or staging site ONLY), try this in your browser:

http://<target>/php-sms/classes/Master.php?f=delete_quote&id=1'; OR '1'='1

If all quotes are deleted, you have a problem! For more controlled tests, use sqlmap:

sqlmap -u "http://<target>/php-sms/classes/Master.php?f=delete_quote&id=1"; --risk=3 --level=5 --dbs

This tool can automate the exploit and show just how bad things can get.

Affected Parameter: id

- Affected Endpoint: /php-sms/classes/Master.php?f=delete_quote

Original References

- CVE Details - CVE-2022-43352
- Exploit Database - 51045 *(with proof of concept)*
- NVD - CVE-2022-43352

How to Fix CVE-2022-43352

The solution is to never trust user input, and always use prepared statements or at least proper sanitization. Here’s how you can FIX the code:

// Secure version using prepared statements
$id = $_GET['id'];
$stmt = $conn->prepare("DELETE FROM quotes WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

This way, the database knows what is code and what is user data. User input is always handled as harmless content, not executable SQL.

Wrapping Up

CVE-2022-43352 is a serious reminder: simple code mistakes can destroy even the fanciest web application. Always sanitize your input and use the right tools. If you’re running Sanitization Management System v1., patch your app NOW.

For more info, check out the original references and follow best practices for secure PHP development.


*Want to stay safe? Always keep security at the top of your dev checklist!*

Timeline

Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 04:18:00 UTC