CVE-2022-41551

Vulnerability

The Garage Management System version 1.0, built with PHP and MySQL, contains a SQL injection vulnerability in the id parameter of /garage/editorder.php. The application fails to sanitize user input before using it in a SQL query, allowing an attacker to inject arbitrary SQL commands. The vulnerable file is located at /garage/editorder.php and the parameter id is directly incorporated into the query [1].

Exploitation

An attacker with network access to the application can exploit this vulnerability by sending a crafted HTTP GET request to /garage/editorder.php with a malicious id parameter. The provided proof-of-concept payload uses a UNION-based injection to extract database information, e.g., -1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--+ [1]. The attacker must be authenticated as an admin (session cookie required) to access the page, but the injection itself is performed via the vulnerable parameter.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the backend database. This can lead to unauthorized access to sensitive data, such as user credentials, and potentially achieve further compromise of the system through data manipulation or escalation [1].

Mitigation

As of the publication date, no official patch has been released. The vendor, mayuri_k, has not provided a fix. Users should consider implementing input validation and parameterized queries to prevent SQL injection. Since the software is from SourceCodester, users should monitor for updates. Until a patch is available, restrict network access to the application and ensure the admin interface is not exposed to untrusted networks [1].