Kehua Charging Pile Cloud Platform SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Kehua Charging Pile Cloud Platform version 1.0. This vulnerability resides in the file '/sys/task/findAllTask' and can be exploited remotely to access sensitive server information. The SQL injection occurs because the application improperly handles input, allowing attackers to manipulate SQL queries and potentially access or modify database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to '/sys/task/findAllTask' with the appropriate headers and a payload that includes the 'taskNameSelect' parameter. The injection can be performed by crafting the 'taskNameSelect' value to include SQL injection payloads that exploit the application's SQL query handling.