Hunan Zhonghe Baiyi Information Technology Baiyiyun Asset Management and Operations System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Hunan Zhonghe Baiyi Information Technology's Baiyiyun Asset Management and Operations System, versions prior to 20250217. The issue resides in an unknown functionality of the file '/wuser/anyUserBoundHouse.php', where the 'huid' argument can be manipulated to execute SQL injection attacks. This vulnerability can be exploited remotely, and details of the exploit have been disclosed publicly.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a request to the '/wuser/anyUserBoundHouse.php' file with a crafted 'huid' argument that exploits the application's SQL query handling. This can be done manually or automated with a script, after identifying a vulnerable target.