Exploit for SQL Injection in Devcode Openstamanager CVE-2025-69215

## https://sploitus.com/exploit?id=5AD7D697-C3E8-5EC5-A164-30020D661DA5
# CVE-2025-69215: OpenSTAManager has an SQL Injection in the Stampe Module

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-69215 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

## Vulnerability Details

### Location
- **File:** `modules/stampe/actions.php`
- **Line:** 26
- **Vulnerable Code:**
```php
case 'update':
    if (!empty(intval(post('predefined'))) && !empty(post('module'))) {
        $dbo->query('UPDATE `zz_prints` SET `predefined` = 0 WHERE `id_module` = '.post('module'));
        // ↑ Direct concatenation without prepare() sanitization
    }
```

### Root Cause

The `module` parameter from POST data is directly concatenated into an SQL UPDATE query without using the `prepare()` sanitization function. While the `predefined` parameter is validated with `intval()`, the `module` parameter only has an `!empty()` check, which does NOT prevent SQL injection.

**Vulnerable Pattern:**
```php
// Line 25: intval() protects predefined, but module is not sanitized...

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)


## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')


## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q
- https://nvd.nist.gov/vuln/detail/CVE-2025-69215
- https://github.com/advisories/GHSA-qx9p-w3vj-q24q


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.