CVE-2022-44403

Vulnerability

The Automotive Shop Management System v1.0 by oretnom23 contains a SQL injection vulnerability in the /asms/admin/?page=user/manage_user&id= endpoint. The id parameter is directly concatenated into SQL queries without sanitization, allowing an authenticated attacker to inject arbitrary SQL commands. The vulnerability is present in the admin panel and requires a valid admin session [1].

Exploitation

An attacker with admin credentials (e.g., admin/admin123) can exploit the vulnerability by sending a crafted GET request to the vulnerable URL. The reference demonstrates a payload using updatexml to trigger an error-based SQL injection, leaking the database name. The attacker can modify the payload to extract other data from the database, such as user credentials or application secrets [1].

Impact

Successful exploitation allows an authenticated attacker to read arbitrary data from the database, including sensitive information like user passwords and application configuration. This can lead to privilege escalation or further compromise of the system. The impact is primarily information disclosure, but could enable broader attacks if additional credentials are obtained [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users should implement input validation and use parameterized queries to prevent SQL injection. The software is available on SourceCodester; administrators should consider disabling the vulnerable endpoint or applying a web application firewall rule until a fix is provided [1].