Fanwei E-Cology SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Fanwei E-Cology version 8.0 and prior. The issue arises in the getdata.jsp endpoint, where unsanitized user input from the sql parameter is directly injected into a database query. This vulnerability is accessible through the cmd=getSelectAllId workflow in the AjaxManager, allowing unauthenticated attackers to execute arbitrary SQL queries. Exploitation of this vulnerability could lead to the exposure of sensitive information, such as administrator password hashes.

Impact

Exploitation of this vulnerability allows for arbitrary SQL query execution, potentially leading to unauthorized data access, including sensitive information such as administrator password hashes.

Reproduction

To reproduce this vulnerability, send a request to the getdata.jsp endpoint with the cmd parameter set to 'getSelectAllId' and the sql parameter containing the SQL injection payload. The application will execute the injected SQL query and return the results, demonstrating the successful exploitation of the SQL injection vulnerability.