CVE-2022-45030
published 2023-04-15CVE-2022-45030: A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.69%
84.0th percentile
A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://<host>:443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20↗
- →Monitor HTTP GET requests to /lib/ajaxHandlers/ajaxCompareGetCmdDates.php with SQL metacharacters (single quote, UNION, SELECT, ord, substr) in the 'command' or 'deviceId' query parameters. ↗
- →Look for blind/time-based SQLi exfiltration pattern: repeated GET requests to ajaxCompareGetCmdDates.php with incrementing numeric index in the payload (e.g., substr(...,1,1), substr(...,2,1) ...) — characteristic of character-by-character enumeration. ↗
- →Exploit requires authentication; watch for login attempts to /lib/crud/userprocess.php with default credentials (admin/admin) immediately followed by requests to the vulnerable endpoint. ↗
- →The exploit uses a UNION-based injection with arithmetic encoding (ord()+1000) to exfiltrate data; detect responses containing 4-digit numeric strings in the range 1000–1127 (ASCII offset) from the vulnerable endpoint. ↗
- →Note the CVE description flags potential interaction with MySQL's secure-file-priv; assess whether the DB user has FILE privilege, which could allow UNION-based file read/write via INTO OUTFILE/LOAD_FILE. ↗
- ·The exploit targets rConfig version 3.9.7 specifically; verify the installed version before applying detections, as the vulnerable file path may differ in other versions. ↗
- ·The exploit is authenticated — an attacker must first obtain valid credentials. The PoC hardcodes admin/admin as defaults, but any valid account suffices; detections should not assume only default credentials are used. ↗
- ·The PoC disables TLS certificate verification (verify=False); the exploit works over HTTPS on port 443, so TLS inspection may be required to detect the malicious payload in transit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-04-15
Published