Jingmen Zeyou Large File Upload Control SQL Injection Vulnerability in index.jsp
Vulnerability
A critical SQL injection vulnerability has been identified in Jingmen Zeyou Large File Upload Control versions through 6.3. The issue resides in an unknown function of the file index.jsp, where the manipulation of the 'id' argument allows for SQL injection. This vulnerability can be exploited remotely, and a public exploit is available. The vendor was notified about this vulnerability but did not respond.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data modification, or in some cases, executing administrative operations on the database. Such vulnerabilities can also be leveraged to execute commands on the server, depending on the application's database interaction.
Reproduction
The vulnerability can be reproduced by sending a GET request to index.jsp with the 'id' parameter. This request should include a valid JSESSIONID cookie. The SQL injection can be exploited using tools like sqlmap, targeting the 'id' parameter to extract database information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.