Baiyi Cloud Asset Management System SQL Injection Vulnerability in Admin Interface

A critical SQL injection vulnerability has been identified in the Baiyi Cloud Asset Management System, specifically in versions prior to 20250204. The issue arises in the '/wuser/admin.house.collect.php' file, where the 'project_id' parameter can be manipulated to execute SQL injection attacks. This vulnerability allows attackers to bypass security measures and directly interact with the database, potentially accessing sensitive information such as database names and table data. The vulnerability can be exploited remotely without authentication, affecting multiple instances of the application.

Impact

Exploitation of this vulnerability leads to Time-Based Blind SQL Injection, allowing attackers to manipulate the database and access sensitive information. The vulnerability could also be exploited to compromise the entire server.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/wuser/admin.house.collect.php' with a crafted 'project_id' parameter that includes a SQL injection payload. The injection can be verified by observing a delay in the server's response, indicating that the injected SQL command was executed. This exploitation can be automated using tools like Sqlmap.

Remediation

It is recommended to filter input and use parameterized queries to prevent SQL injection. Deploying a Web Application Firewall (WAF) to block requests with SQL injection payloads can also be effective. Regular security audits and following the principle of least privilege for database permissions are advisable.