CVE-2022-43355 - Sanitization Management System v1. SQL Injection Vulnerability in the Delete_Service Function

A critical SQL injection vulnerability (CVE-2022-43355) has been discovered in the Sanitization Management System v1.. This vulnerability potentially allows attackers to execute arbitrary SQL commands and access sensitive data. The vulnerable part lies in the "id" parameter of the delete_service function, which is located at /php-sms/classes/Master.php?f=delete_service.

Exploit Details

The vulnerability is specifically found in the "delete_service" function, where unsanitized user input is passed directly into an SQL query. This can lead to SQL injection if the attacker sends a specially crafted request containing malicious SQL code to the vulnerable endpoint.

The vulnerable code snippet in the Master.php file is shown below

public function delete_service() {
    ...
    $id = $_REQUEST['id'];
    ...
    $sql = "DELETE FROM sanitization_services WHERE id = '" . $id . "'";
    ...
}

In the above code snippet, the "id" parameter from the user request is directly used in an SQL query. The absence of input validation or sanitation allows an attacker to insert malicious SQL code, potentially leading to unauthorized data access, modification or deletion.

Reproduction Steps

An attacker can exploit this vulnerability by sending a specially crafted HTTP request targeting the vulnerable endpoint. Below is an example of a malicious GET request:

GET /php-sms/classes/Master.php?f=delete_service&id=1%20OR%201=1

In this example, the attacker sends the value 1 OR 1=1 as the "id" parameter. When the server processes the request, it builds the following SQL query:

DELETE FROM 'sanitization_services' WHERE 'id' = '1' OR 1=1

Since the condition "1=1" is always true, this query will delete all records from the "sanitization_services" table.

Mitigation

To protect your Sanitization Management System v1. from this vulnerability, you should apply input validation and sanitization techniques to the "id" parameter before using it in the SQL query. One common method is to use prepared statements, as shown in the following code snippet:

public function delete_service() {
    ...
    $id = $_REQUEST['id'];
    ...
    $sql = "DELETE FROM sanitization_services WHERE id = ?";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param("i", $id);
    $stmt->execute();
    ...
}

By using prepared statements, the application separates the data from the query, thereby preventing SQL injection attacks.

For more information on CVE-2022-43355, you can refer to the following resources

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43355
2. NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43355
3. Exploit Database: https://www.exploit-db.com/exploits/day/CVE-2022-43355

Conclusion

The Sanitization Management System v1. contains a critical SQL injection vulnerability (CVE-2022-43355) in the "id" parameter of the delete_service function. Attackers can exploit this vulnerability to execute arbitrary SQL commands, potentially gaining unauthorized access to sensitive information. To mitigate this vulnerability, it is essential to implement proper input validation and sanitization techniques such as using prepared statements in SQL queries.

Timeline

Published on: 11/01/2022 01:15:00 UTC
Last modified on: 11/01/2022 17:30:00 UTC