Wanzhou WOES Intelligent Optimization Energy Saving System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Wanzhou WOES Intelligent Optimization Energy Saving System version 1.0. The issue arises in the Analysis Conclusion Query Module, specifically within the GetAlarmResultProcessList interface. The vulnerability is triggered by manipulating the resultId parameter, which allows for unauthorized database access. This SQL injection can be exploited remotely, potentially leading to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a request to the GetAlarmResultProcessList interface with a crafted resultId parameter. The injection point can be exploited by appending SQL injection payloads that manipulate the SQL query execution, such as bypassing authentication or extracting database information.