CVE-2022-44415

Vulnerability

Automotive Shop Management System v1.0, built with PHP and MySQL, contains a SQL injection vulnerability in the id parameter of the /asms/admin/mechanics/view_mechanic.php endpoint. The application fails to sanitize user input before using it in a SQL query, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in the admin panel and requires authentication to access the vulnerable page [1].

Exploitation

An attacker must first authenticate with valid admin credentials (e.g., admin/admin123 as provided in the reference) to access the admin panel. Once logged in, they can send a GET request to /asms/admin/mechanics/view_mechanic.php?id= with a malicious payload. The reference demonstrates a payload using updatexml to trigger an error-based SQL injection that reveals the database name: 1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ [1]. The attacker can modify the payload to extract other data from the database.

Impact

Successful exploitation allows an authenticated attacker to perform error-based or time-based SQL injection, leading to disclosure of sensitive information from the database, such as user credentials, application data, and potentially other tables. The attacker can enumerate the database schema and extract arbitrary data, compromising the confidentiality of the system [1].

Mitigation

As of the publication date (2022-11-18), no official patch has been released by the vendor. The application is available on SourceCodester. Users should implement input validation and use parameterized queries to prevent SQL injection. Additionally, restrict access to the admin panel to trusted users and monitor logs for suspicious activity. Until a fix is available, consider disabling the vulnerable endpoint or applying a web application firewall rule [1].