Login Sign Up

CVE-2022-31352

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2022-31352 is a critical SQL injection vulnerability in Online Car Wash Booking System v1.0 that allows attackers to execute arbitrary SQL commands through the 'id' parameter in the admin services management page. This affects all users running the vulnerable version of this web application. Attackers can potentially steal, modify, or delete database contents.

💻 Affected Systems

Products:
  • Online Car Wash Booking System
Versions: v1.0
Operating Systems: Any OS running PHP web server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP and MySQL/MariaDB database backend. Admin panel must be accessible.

📦 What is this software?

Online Car Wash Booking System by Oretnom23

View all CVEs affecting Online Car Wash Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution, and full system takeover.

🟠

Likely Case

Database information disclosure, including user credentials, personal data, and administrative access.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin panel access. SQL injection is straightforward via the 'id' parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Implement workarounds or replace with secure software.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify manage_service.php to validate and sanitize the 'id' parameter using prepared statements.

Replace vulnerable SQL queries with parameterized queries using PDO or mysqli prepared statements.

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Configure WAF to block requests containing SQL keywords to /ocwbs/admin/services/manage_service.php

🧯 If You Can't Patch

  • Restrict access to /ocwbs/admin/ directory to trusted IP addresses only.
  • Disable or remove the vulnerable manage_service.php file if not required.

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads like: /ocwbs/admin/services/manage_service.php?id=1' OR '1'='1

Check Version:

Check the software version in the application's admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer return database errors or unexpected data.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to manage_service.php with SQL keywords in parameters
  • Database error logs showing SQL syntax errors

Network Indicators:

  • Unusual SQL queries from web server to database
  • Multiple failed login attempts following SQL injection

SIEM Query:

source="web_logs" AND uri="/ocwbs/admin/services/manage_service.php" AND (param="id" AND value CONTAINS "' OR" OR value CONTAINS "UNION" OR value CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2022-31352
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 2, 2022
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31352, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)