Bian Que Feijiu Intelligent Emergency and Quality Control System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Bian Que Feijiu Intelligent Emergency and Quality Control System. This vulnerability is present in the GetLyfsByParams endpoint, accessed through the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The issue arises because the backend does not properly sanitize user input in the strOpid parameter, allowing attackers to inject arbitrary SQL statements. Exploitation of this vulnerability could lead to unauthorized data access, authentication bypass, and potentially remote code execution, depending on the backend configuration. The vulnerability is believed to affect versions released prior to June 2025.

Impact

Exploitation of this vulnerability allows for unauthorized database access and manipulation, potentially leading to the execution of arbitrary code on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the /AppService/BQMedical/WebServiceForFirstaidApp.asmx/GetLyfsByParams endpoint. Include a crafted strOpid parameter that injects SQL code, such as a UNION SELECT statement, to manipulate the SQL query executed by the server. The response can be analyzed to confirm successful exploitation by checking for injected data, such as database version information.

Remediation

Users are advised to upgrade to the latest version of the Bian Que Feijiu Intelligent Emergency and Quality Control System, as the vulnerability has been addressed in versions released after June 2025.