Wanzhou WOES Intelligent Optimization Energy Saving System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Wanzhou WOES Intelligent Optimization Energy Saving System version 1.0. The issue arises in the Historical Data Query Module, specifically within the GetVariableByOneIDNew interface. The vulnerability allows remote attackers to manipulate the ObjectID parameter, leading to unauthorized database access. Exploitation of this vulnerability is publicly known and has been demonstrated.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a request to the GetVariableByOneIDNew interface with a crafted ObjectID parameter. The injection point can be exploited by appending SQL injection payloads that manipulate the SQL query execution, such as bypassing authentication or extracting sensitive data from the database.