Wanzhou WOES Intelligent Optimization Energy Saving System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Wanzhou WOES Intelligent Optimization Energy Saving System version 1.0. The issue arises in the Environmental Real-Time Data Module, specifically within the GetAreaTrendChartData interface. The vulnerability is triggered by manipulating the energyId parameter, allowing remote attackers to inject malicious SQL code that could be executed by the application's database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a request to the GetAreaTrendChartData interface with a crafted energyId parameter. The injection point can be exploited by appending SQL injection payloads that manipulate the application's SQL query execution. For example, injecting SQL code that alters the query's logic or retrieves sensitive database information.