Bjskzy Zhiyou ERP SQL Injection Vulnerability in Workflow Service Component

A SQL injection vulnerability has been identified in Bjskzy Zhiyou ERP versions through 11.0. The issue resides in the 'getFieldValue' function of the 'com.artery.workflow.ServiceImpl' component, where the 'sql' parameter is manipulated, allowing for SQL injection. This vulnerability can be exploited remotely, and a public exploit is available. The vendor was notified about this issue but did not respond.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the 'sqlresult' interface of the Bjskzy Zhiyou ERP system with a crafted 'sql' parameter. The parameter should be designed to exploit the SQL injection vulnerability by injecting malicious SQL code that could be executed by the database. This can be done remotely, and the availability of a public exploit suggests that the vulnerability can be easily exploited.