CVE-2022-29305

An attacker sends a GET request to /upload/localhost with a crafted X-Forwarded-For header containing a SQL injection payload [ref_id=1]. The application obtains the user's IP via multiple methods and splices it unsanitized into a SQL statement at lines 44-58 of upload.php, specifically in the query->uplimit($ip) call [ref_id=1]. This allows blind SQL injection against the SQLite database, enabling data extraction via boolean-based or time-based techniques [CWE-89]. The attack requires no authentication and can be performed over HTTP.

The vulnerable code is in upload.php, lines 44 through 58, where the user's IP address is directly concatenated into a SQL statement via the query->uplimit($ip) call [ref_id=1]. The application uses multiple methods to obtain the user's IP, including the X-Forwarded-For header, and passes the value unsanitized into the SQL query [ref_id=1].

The advisory recommends two remediation approaches: validate the user IP format to ensure it contains only expected characters, or switch to PDO prepared statements to prevent SQL injection entirely [ref_id=1]. No patch has been published by the vendor — the repository was archived and is read-only as of Jan 23, 2026 [ref_id=1]. Using parameterized queries would separate SQL logic from data, eliminating the possibility of injection regardless of input content.

Send a GET request to /upload/localhost with a malicious X-Forwarded-For header containing a SQL injection payload. Example from the advisory [ref_id=1]:

``` GET /upload/localhost HTTP/1.1 Host: host.local Cookie: XSRF-TOKEN=[Your_XSRF-TOKEN]; x-forwarded-for: ' union select case(2>1)when(1)then(10)else(0)end order by num desc-- Connection: close ```

For automated exploitation, sqlmap can be used with the prefix and suffix values documented in the advisory [ref_id=1].