CVE-2022-44294

Vulnerability

Sanitization Management System v1.0, built with PHP and MySQL, contains a SQL injection vulnerability in the id parameter of the /php-sms/admin/?page=services/manage_service endpoint. The application fails to sanitize user input before using it in a database query, enabling an attacker to inject arbitrary SQL commands. The vulnerable file is manage_service.php. [1]

Exploitation

An attacker must have a valid administrator account (e.g., admin/admin123) to access the vulnerable page. By appending a crafted payload to the id parameter, such as 1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+, the attacker can trigger an error that reveals the database name (sms_db) or other sensitive information. The manipulation is performed via an HTTP GET request. [1]

Impact

Successful exploitation allows an attacker to extract arbitrary data from the database, including user credentials and other sensitive information. The injection is error-based, providing immediate feedback through database error messages. The attack does not require special privileges beyond the existing admin session. [1]

Mitigation

As of the disclosure date (November 2022), no official patch has been released. Administrators should apply input validation and parameterized queries to the id parameter. Until a fix is available, restrict access to the admin panel and monitor for unusual activity. [1]