CVE-2022-44295

Vulnerability

Sanitization Management System v1.0, available from SourceCodester, contains a SQL injection vulnerability in the file /php-sms/admin/orders/assign_team.php. The id parameter is directly concatenated into an SQL query without sanitization, allowing an attacker to inject arbitrary SQL statements. The vulnerability is reachable only after authenticating with a valid admin account (e.g., admin/admin123). The application was tested on XAMPP with PHP 8.1 [1].

Exploitation

An attacker must first log in as an admin (Super Admin account). Once authenticated, a crafted GET request to /php-sms/admin/orders/assign_team.php?id= with a malicious payload triggers the injection. The provided proof-of-concept uses an error-based technique with updatexml() to extract the database name. For example, the payload 1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ causes an XML parsing error that reveals the database name (sms_db) in the error message [1]. No additional privileges or user interaction beyond admin login are required.

Impact

Successful exploitation leads to information disclosure. An attacker can extract sensitive data from the database, such as the database name, table names, column names, and potentially user credentials or other stored information. The attack is limited to reading data via error-based SQL injection; it does not directly allow data modification or remote code execution. The scope is confined to the database accessible by the application's database user [1].

Mitigation

As of the publication date (2022-11-30), no official patch or updated version has been released by the vendor. The software is provided as open source, and users are advised to apply input validation and parameterized queries to the id parameter in assign_team.php. Until a fix is available, restricting admin access to trusted users and monitoring for suspicious requests can reduce risk. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.