Login Sign Up

CVE-2022-32000

7.2 HIGH
SQL Injection

📋 TL;DR

Badminton Center Management System v1.0 contains a SQL injection vulnerability in the admin service transactions management page. Attackers can inject malicious SQL queries through the 'id' parameter to manipulate database queries. This affects all deployments of Badminton Center Management System v1.0 with the vulnerable component enabled.

💻 Affected Systems

Products:
  • Badminton Center Management System
Versions: v1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access, but SQL injection can potentially bypass authentication.

📦 What is this software?

Badminton Center Management System by Badminton Center Management System Project

View all CVEs affecting Badminton Center Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information from the database, potentially including user credentials, payment information, and administrative data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place, potentially only causing error messages or minor data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires access to admin interface but SQL injection could potentially bypass authentication. Public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in the affected PHP files.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Add input validation to sanitize the 'id' parameter before processing

// PHP example: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

  • Restrict access to the admin interface using IP whitelisting or VPN
  • Implement database user with minimal permissions (read-only where possible)

🔍 How to Verify

Check if Vulnerable:

Test the vulnerable endpoint with SQL injection payloads: /bcms/admin/?page=service_transactions/manage_service_transaction&id=1'

Check Version:

Check system version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads and verify proper error handling and no database errors

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in web server logs
  • Unusual database query patterns from web application

Network Indicators:

  • HTTP requests with SQL keywords in URL parameters
  • Repeated requests to vulnerable endpoint with different payloads

SIEM Query:

web.url:*manage_service_transaction* AND (web.param.id:*'* OR web.param.id:*--* OR web.param.id:*UNION*)

📊 Metadata

CVE ID: CVE-2022-32000
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32000, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)