cbcvebase.
CVE-2022-45030
published 2023-04-15

CVE-2022-45030: A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.69%
84.0th percentile
A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv).

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<host>:443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20
path/lib/ajaxHandlers/ajaxCompareGetCmdDates.php
command'+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20
  • Monitor HTTP GET requests to /lib/ajaxHandlers/ajaxCompareGetCmdDates.php with SQL metacharacters (single quote, UNION, SELECT, ord, substr) in the 'command' or 'deviceId' query parameters.
  • Look for blind/time-based SQLi exfiltration pattern: repeated GET requests to ajaxCompareGetCmdDates.php with incrementing numeric index in the payload (e.g., substr(...,1,1), substr(...,2,1) ...) — characteristic of character-by-character enumeration.
  • Exploit requires authentication; watch for login attempts to /lib/crud/userprocess.php with default credentials (admin/admin) immediately followed by requests to the vulnerable endpoint.
  • The exploit uses a UNION-based injection with arithmetic encoding (ord()+1000) to exfiltrate data; detect responses containing 4-digit numeric strings in the range 1000–1127 (ASCII offset) from the vulnerable endpoint.
  • Note the CVE description flags potential interaction with MySQL's secure-file-priv; assess whether the DB user has FILE privilege, which could allow UNION-based file read/write via INTO OUTFILE/LOAD_FILE.
  • ·The exploit targets rConfig version 3.9.7 specifically; verify the installed version before applying detections, as the vulnerable file path may differ in other versions.
  • ·The exploit is authenticated — an attacker must first obtain valid credentials. The PoC hardcodes admin/admin as defaults, but any valid account suffices; detections should not assume only default credentials are used.
  • ·The PoC disables TLS certificate verification (verify=False); the exploit works over HTTPS on port 443, so TLS inspection may be required to detect the malicious payload in transit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.