CVE-2022-43355

Vulnerability

Sanitization Management System v1.0, built by oretnom23 and available on SourceCodester, contains a SQL injection vulnerability in the /php-sms/classes/Master.php?f=delete_service endpoint. The id parameter passed via POST is not sanitized before being used in a database query, allowing an attacker to inject arbitrary SQL. The application runs on XAMPP with PHP 8.1 and uses a MySQL database named sms_db. The vulnerability exists in the id parameter [1].

Exploitation

An attacker must first authenticate as any user; the provided proof-of-concept uses the Super Admin account admin/admin123 [1]. The attack is performed by sending a POST request to /php-sms/classes/Master.php?f=delete_service with a crafted id parameter containing SQL injection payloads. For example, the payload id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ triggers an error-based blind injection that reveals database information [1]. The attacker can use similar techniques to extract other data from the database.

Impact

Successful exploitation allows an authenticated attacker to read sensitive information from the database, including usernames, passwords, and other application data. The injection uses the updatexml function to trigger error messages that disclose data, enabling data exfiltration. The privilege level required is at least an authenticated user, but the impact could lead to complete disclosure of the application's database contents [1].

Mitigation

As of the publication date, no patched version has been released. The vendor (oretrom23) has not provided a fix. The application is developed by a third-party vendor and may no longer be supported. Users should apply input validation and parameterized queries to the id parameter, or restrict access to the affected endpoint until a patch is available. There is no indication this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].