CVE-2022-44414

Vulnerability

Automotive Shop Management System v1.0, built with PHP and available from SourceCodester, contains a SQL injection vulnerability in the /asms/admin/services/manage_service.php?id endpoint. The id parameter is directly concatenated into SQL queries without proper sanitization, allowing authenticated users to inject arbitrary SQL. The vulnerability is present in version 1.0 as distributed by oretnom23 [1].

Exploitation

An attacker must be logged in with a valid account; the default super admin credentials are admin/admin123 [1]. The attacker then sends a GET request to /asms/admin/services/manage_service.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ to perform error-based blind SQL injection. Exploitation does not require any special network position beyond access to the web application [1].

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, such as database name (asms_db), table names, and potentially user credentials. The attack is limited to data exfiltration via error messages; full remote code execution is not demonstrated but could be possible depending on database privileges [1].

Mitigation

No official patch or fixed version has been released by the vendor as of the publication date [1]. Users should apply input validation and parameterized queries to the vulnerable endpoint. If possible, restrict access to the admin panel or remove the vulnerable functionality until a fix is available.