search

[CVE-2025-65236] USSD Gateway SQL Injection - Sessions

Technical information about the CVE-2025-65236 in OpenCode USSD GW application.

hashtag
Description

SQL Injection in the USSD Gatewayarrow-up-right application offered by OpenCode Systems arrow-up-right allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands. https://www.cve.org/CVERecord?id=CVE-2025-65236arrow-up-right

hashtag
Application Details

  • Name: USSD Gateway

  • Vendor: OpenCode Systems

  • Version: OC Release 5 - Version 6.13.11

hashtag
Technical Details

  • Vulnerable Endpoint: /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t

  • Vulnerable Parameters: flt_sessid and flt_user

  • Payload Sample: flt_sessid=1; SELECT SLEEP(5)#

hashtag
Exploitation

The default request is being used to get the username of the account details based on the account ID, the response is shown below

POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t HTTP/2
Host: hostname
Cookie: openid-state=c2b[...]Ic%22%3B%7D; OCPANEL-SESSIONID=1h[...]v6o; _csrf=a1[...]nAyIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_csrf=K6[...]iB0qQ%3D%3D&display=1&flt_sessid=00000002&flt_user=&flt_server_node=VSSTEST01AOCFRV

By appending the payload to the parameter, all the usernames will be shown in the response.

You can use different payloads, the below one was used as a POC

hashtag
Nuclei Template

You can use this template for easy detection.

Adjust the CSRF if required

Previous[CVE-2025-65235] USSD GW SQL Injection - SubUsersNext[CVE-2025-65237] USSD Gateway Reflected Cross-Site Scripting

Last updated