CVE-2022-40347

CRITICAL

Intern Record System 1.0 - SQL Injection via Phone/Email/DeptType/Name Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-40347. PoCs published by Hamdi Sevben, h4md153v63n.

AI-analyzed exploit summary This exploit demonstrates unauthenticated SQL injection in Intern Record System v1.0 via the 'phone', 'email', 'deptType', and 'name' parameters in /intern/controller.php. It includes sqlmap commands and manual payloads to extract database information.

Description

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Hamdi Sevben · textwebappsphp

https://www.exploit-db.com/exploits/51274

View Code ZIP pw:eip

This exploit demonstrates unauthenticated SQL injection in Intern Record System v1.0 via the 'phone', 'email', 'deptType', and 'name' parameters in /intern/controller.php. It includes sqlmap commands and manual payloads to extract database information.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Intern Record System v1.0

No auth needed

Prerequisites: Access to the target application · sqlmap or similar SQL injection tool

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by h4md153v63n · poc

https://github.com/h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for CVE-2022-40347, demonstrating SQL injection vulnerabilities in the Intern Record System 1.0 via the 'phone', 'email', 'deptType', and 'name' parameters. It includes detailed SQLmap commands and Burp Suite requests to exploit the vulnerability.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Intern Record System 1.0

No auth needed

Prerequisites: Access to the target application · SQLmap or similar tool for exploitation

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Product

https://code-projects.org/intern-record-system-in-php-with-source-code/

Product

https://download-media.code-projects.org/2020/03/Intern_Record_System_In_PHP_With_Source_Code.zip

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171740/Intern-Record-System-1.0-SQL-Injection.html

Exploit, Third Party Advisory

https://github.com/h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated

Scores

CVSS v3 9.8

EPSS 0.0535

EPSS Percentile 91.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

intern_record_system_project/intern_record_system 1.0

Published Feb 17, 2023

Tracked Since Feb 18, 2026