CVE-2022-30493

Vulnerability

In Automotive Shop Management System v1.0 by oretnom23, the id parameter of the inventory/view_details page is vulnerable to blind SQL injection. An authenticated staff user can trigger the vulnerability by accessing a URL like http://localhost/asms/admin/?page=inventory/view_details&id=7 [1]. The parameter is not sanitized, allowing time-based blind injection. The application runs on MySQL/MariaDB, and the injection is confirmed for MySQL >= 5.0.12 [1].

Exploitation

An attacker must first log in as a staff user, then navigate to the Inventory page and select view product to obtain the vulnerable URL. The attacker can inject a time-based blind SQL payload such as '+(select*from(select(sleep(5)))a)+' or use sqlmap with the command sqlmap -u http://localhost/asms/admin/?page=inventory/view_details&id=7 --batch --dbs [1]. The injection point is time-based blind (query SLEEP) located in the id GET parameter, requiring no additional privileges beyond staff login [1].

Impact

Successful exploitation allows the attacker to dump all database credentials, including those of admin users, and escalate privileges to full admin access [1]. The attacker can enumerate all databases and extract credentials, leading to complete compromise of the application.

Mitigation

As of the publication date (May 2022), no official patch or fix has been released by the vendor [1]. Users should apply input sanitization, use parameterized queries, and restrict the id parameter to expected integer values. If a newer version becomes available, upgrading is recommended. Otherwise, consider removing the vulnerable functionality or implementing a web application firewall.