CVE-2022-44137

Vulnerability

The SourceCodester Sanitization Management System version 1.0 contains a SQL injection vulnerability in the /php-sms/admin/?page=inquiries/view_inquiry endpoint. The id parameter is directly concatenated into SQL queries without sanitization, allowing an attacker to inject arbitrary SQL statements. The vulnerability is reachable after authenticating with admin credentials (default: admin/admin123) [1].

Exploitation

An attacker with valid admin credentials can exploit this vulnerability by sending a crafted GET request to the vulnerable endpoint. The payload id=99999999999999999' union select 1,2,database(),user(),5,6,7,8,9 --+ demonstrates how to extract the database name and current database user. The attacker must include a valid session cookie (e.g., PHPSESSID) obtained after logging in [1].

Impact

Successful exploitation allows an attacker to retrieve sensitive information from the underlying MySQL database, such as the database name (sms_db) and the database user (root@localhost). This information disclosure can be leveraged for further attacks, including privilege escalation or data exfiltration [1].

Mitigation

As of the publication date (2022-12-30), no official patch or fixed version has been released by SourceCodester. The vendor provides the source code, so administrators should manually implement input validation and use parameterized queries (prepared statements) for the id parameter. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Until a fix is available, restricting access to the admin panel and monitoring for suspicious requests are recommended workarounds [1].