Login Sign Up

CVE-2022-31354

9.8 CRITICAL
SQL Injection

📋 TL;DR

Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the get_vehicle_service endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:
  • Online Car Wash Booking System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of v1.0 regardless of configuration. The vulnerability is in the core application code.

📦 What is this software?

Online Car Wash Booking System by Oretnom23

View all CVEs affecting Online Car Wash Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive customer data (personal information, payment details), service manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exists in GitHub repository. SQL injection is straightforward to exploit with common tools like sqlmap.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Input Validation Filter

all

Implement server-side input validation to sanitize parameters before processing.

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in the application code
  • Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Test the endpoint /ocwbs/classes/Master.php?f=get_vehicle_service with SQL injection payloads using tools like sqlmap or manual testing.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Retest the vulnerable endpoint with SQL injection payloads to confirm they are properly rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed parameter manipulation attempts
  • Requests with SQL keywords in parameters

Network Indicators:

  • HTTP requests containing SQL injection patterns to the vulnerable endpoint
  • Unusual database query patterns from application server

SIEM Query:

source="web_server_logs" AND (url="*Master.php?f=get_vehicle_service*" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2022-31354
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 2, 2022
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31354, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)