zzskzy Warehouse Refinement Management System SQL Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A critical SQL injection vulnerability has been identified in zzskzy Warehouse Refinement Management System version 1.3. The issue resides in the ProcessRequest function of the /getAdyData.ashx file, where the showid parameter can be manipulated to execute arbitrary SQL commands. This vulnerability can be exploited remotely, potentially leading to unauthorized code execution on the server.
Impact
Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate the database, extract sensitive information, or execute arbitrary code on the server.
Reproduction
To reproduce this vulnerability, send a request to the /getAdyData.ashx endpoint with a crafted showid parameter that includes SQL injection payloads. The lack of input validation in the ProcessRequest function will allow the injected SQL code to be executed, leading to potential database manipulation or code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.