CVE-2022-43066 - Online Diagnostic Lab Management System v1. SQL Injection Vulnerability in the "delete_message" Function

In this post, we're going to take a deep dive into a recent vulnerability disclosure that affects the Online Diagnostic Lab Management System (ODLMS) v1. application. The vulnerability, identified as CVE-2022-43066, is a SQL Injection vulnerability that allows an attacker to execute arbitrary SQL queries on the application's underlying database, potentially compromising sensitive data or gaining unauthorized access to the system.

To start, let's put CVE-2022-43066 into context. ODLMS is a web-based platform used primarily by diagnostic laboratories to manage patient records, test reports, billing processes, and lab administration. The affected version, v1., was discovered to contain a serious SQL injection vulnerability that stems from improper input sanitation in the "id" parameter at /odlms/classes/Master.php?f=delete_message.

Let's examine the vulnerable code snippet below

// File: /odlms/classes/Master.php

public function delete_message($id)
{
    $this->check_auth();
    $sql = "DELETE FROM tbl_card_msg WHERE md5(id) = '$id'";
    $this->db->query($sql);
}

As we can see, the delete_message function takes an input $id that is used directly in the SQL query without any proper sanitation or validation. The md5(id) is applied to the id field in the tbl_card_msg table within the database, but the user-supplied $id value is wrapped directly into the SQL query with single quotes - providing a potential attacker the opportunity to inject custom SQL code.

Exploit Details

An attacker can take advantage of this vulnerability by crafting a URL that includes a specially crafted "id" parameter, such as this one:

http://target/odlms/classes/Master.php?f=delete_message&id=[SQL injection payload]

To exploit the vulnerability, an attacker can include a payload that not only matches the valid MD5 hash of a record in the tbl_card_msg table but also contains an SQL injection payload. The attacker can then alter the database, extract sensitive data, or gain unauthorized access.

For example, consider the following exploit

http://target/odlms/classes/Master.php?f=delete_message&id=1'; AND (SELECT 1 FROM (SELECT SLEEP(5))a) --

In this case, if the SQL injection payload is executed successfully, the server will pause for five seconds before responding. This can help an attacker confirm the presence of the vulnerability, which can then be customized further for specific exploitation.

Links to Original References

- Original vulnerability disclosure: https://www.example.com/disclosure/CVE-2022-43066
- Additional information on ODLMS: https://www.example.com/products/odlms
- NVD entry for CVE-2022-43066: https://nvd.nist.gov/vuln/detail/CVE-2022-43066

Conclusion and Recommendations

The discovery of this SQL injection vulnerability in the ODLMS v1. indicates the importance of proper input validation and sanitation when working with user-input data in web-based applications. To mitigate the effects of this vulnerability:

1. Always validate and sanitize user input before incorporating it into SQL queries - consider using parameterized queries or prepared statements.

Keep your software up-to-date with the latest patches and security updates.

Stay vigilant and ensure that proper security measures are in place to protect your applications and user data from malicious attacks.

Timeline

Published on: 11/02/2022 20:15:00 UTC
Last modified on: 11/03/2022 03:35:00 UTC