cbcvebase.
CVE-2022-46443
published 2022-12-14

CVE-2022-46443: mesinkasir Bangresto 1.0 is vulnberable to SQL Injection via the itemqty%5B%5D parameter.

PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
37.73%
98.4th percentile
mesinkasir Bangresto 1.0 is vulnberable to SQL Injection via the itemqty%5B%5D parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
bangresto_projectbangresto

Detection & IOCsextracted from sources · hover to see the quote

url/bangresto-main/staff/process.php
url/bangresto-main/staff/insertorder.php
commanditemID[]=1&itemqty[]=2 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716a7a6b71,md5({{num}}),0x7178717a71,0x78))s), 8446744073709551610, 8446744073709551610)))&sentorder=Sent to kitchen
bytes
0x716a7a6b71 ... 0x7178717a71 ... 0x78
  • SQL injection is delivered via the `itemqty[]` (URL-encoded: `itemqty%5B%5D`) POST parameter in a request to `/bangresto-main/staff/insertorder.php`. Monitor POST bodies to this endpoint for SQL keywords such as SELECT, IF, CONCAT, or integer overflow values.
  • The exploit uses a two-step authentication flow: first POST to `/bangresto-main/staff/process.php` with credentials, then POST the SQLi payload to `/bangresto-main/staff/insertorder.php`. Correlate both requests from the same source IP.
  • The SQLi payload uses MySQL integer overflow technique with the magic value 8446744073709551610 and CONCAT with hex-encoded canary strings (0x716a7a6b71, 0x7178717a71). Detect these literals in POST body traffic.
  • The Content-Type for the injection request is `application/x-www-form-urlencoded` (without charset). The `sentorder` field value is `Sent to kitchen`, which can serve as an additional filter alongside SQLi indicators.
  • ·The exploit requires prior authentication (valid `username` and `password`) before the SQLi payload can be submitted. The vulnerability is post-auth (CVSS PR:L), so detection should account for authenticated sessions.
  • ·The Nuclei template targets a fixed install path `/bangresto-main/`. Deployments at non-default paths will not match path-based detection rules without adjustment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.