CVE-2022-45564 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2022-45564?

CVE-2022-45564 has a CVSS score of 9.8 (CRITICAL). This CVE describes a SQL injection vulnerability in znfit Home improvement ERP management system that allows attackers to execute arbitrary SQL commands via the userCode parameter in the wechat applet. Attackers can potentially access, modify, or delete database content. Organizations using affected versions of znfit ERP are at risk.

📋 TL;DR

This CVE describes a SQL injection vulnerability in znfit Home improvement ERP management system that allows attackers to execute arbitrary SQL commands via the userCode parameter in the wechat applet. Attackers can potentially access, modify, or delete database content. Organizations using affected versions of znfit ERP are at risk.

💻 Affected Systems

Products:

znfit Home improvement ERP management system

Versions: V50_20220207 and v42

Operating Systems: Any OS running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the vulnerable wechat applet component enabled.

📦 What is this software?

Home Improvement Erp Management System by Znfit

View all CVEs affecting Home Improvement Erp Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential data manipulation affecting business operations.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via wechat applet which is typically internet-accessible.

🏢 Internal Only: MEDIUM - If the system is deployed internally only, risk is reduced but still significant if internal users can exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in GitHub repository. SQL injection via userCode parameter is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact vendor Shanghai Zhuangmeng Information Technology Co., Ltd. for updates. Implement workarounds immediately.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for userCode parameter to prevent SQL injection.

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection protection rules to block malicious requests.

🧯 If You Can't Patch

Isolate the affected system from internet access and restrict internal access to authorized users only.
Implement network segmentation and monitor all database queries for suspicious patterns.

🔍 How to Verify

Check if Vulnerable:

Test the userCode parameter with SQL injection payloads (e.g., ' OR '1'='1) and observe if database errors or unexpected behavior occurs.

Check Version:

Check system configuration or contact vendor to confirm software version.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and that input validation is properly implemented.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts with SQL injection patterns
Errors containing SQL syntax in application logs

Network Indicators:

HTTP requests with SQL keywords in userCode parameter
Unusual database traffic patterns

SIEM Query:

source="web_logs" AND (userCode CONTAINS "' OR" OR userCode CONTAINS "UNION" OR userCode CONTAINS "SELECT *")

📊 Metadata

CVE ID: CVE-2022-45564

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 21, 2023

Last Updated: March 17, 2025

🔗 References

https://github.com/catwj/exp/blob/main/Injected%20by%20Shanghai%20Zhuangmeng%20Information%20Technology%20Co.%2C%20Ltd.md Exploit,Third Party Advisory
https://github.com/catwj/exp/blob/main/Injected%20by%20Shanghai%20Zhuangmeng%20Information%20Technology%20Co.%2C%20Ltd.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45564, you might also want to check these: